在本文中，我们将演示使用Data Extractor来识别使用FileVault加密的Macintosh系统中的加密密钥位置。我们还将分享一些使用Data Extractor的技巧和方法。
In this article, we will demonstrate using Data Extractor to identify encryption key location in the Macintosh system encrypted with FileVault. We will also share some tips and techniques for using Data Extractor for maximum effectiveness.
We started by exploring the ‘(Mac OS X) Boot Recovery HD’ disk for a while we noticed there was the encryption key for FileVault partition.
This key is applied when we enter the password for FileVault partition. It’s called ‘EncryptedRoot.plist.wipekey’ and located in ‘com.apple.corestorage’ folder.
We were getting this file and saving in the special place on the local disk.
For some cases, this file can be located in another place or be removed.
Our goal is to upload this file when we enter the password for encrypted partition, so although we don’t where this file is written to, we know the exact name of the file and can find it in another place.
When the file was deleted or the partition was formatted we use ‘Scan Catalog file’ option or ‘Partition analysis’, respectively.
We created a map of encrypted partition.
This is an important parameter when you create a map for encrypted partition: Data Extractor asks you to create submap of the drive. It looks like this:
The point is that FileVault decryption procedure is sensitive to sectors location. When we create submap of the drive, sectors are shifted and Data Extractor can’t find support sectors and decrypt the partition. So, our selection is ‘NO’.
Applied map as encrypted disk and enter the password.
That regenerated the following report:
Finally, we were getting the file structure:
And could open files:
Please keep your eyes on these features when you can’t decrypt FileVault partition using Data Extractor. It might not be a common issue but we hope it helped you in some cases.
Happy data recovering!