In OS X everyone should be concerned with File Vault passwords. Cracking File Vault isn’t that difficult.
1. there is an end around that investigators need to try first.
a.In the /private/var/vm folder, sits the sleep image and swap files. the sleep image is a system image similar to Windows Hiberfile. The difference is that there is a wealth of information that can be gleaned from the sleepimage. Since the subject matter is File Vault, we will limit the dicussion to it. Passwords for file vault can ( and emphasize can, not always) be found in the sleep image. Since everything is mostly plain text, a simple search can locate not only File Vault passwords, but a multitude of passwords.
b.So how do we find them. Well, there are two ways. from the command line create a grep expression that looks for text after “longname”. This will locate all user name and passwords from the sleepimage. Look at all the hits. the hits with the passwords, will have theuser name followed by “password” and the actual password in plain text. for example,
strings -8 /var/vm/sleepimage | grep -A 4 -i longname
c.For windows examiners, Encase can be used to locate them as well. First from the tree pane navigate and locate the sleepimage. Blue check the sleep image and create a keyword for “longname”. Run the keyword search and minimize the search to the single blue checked sleepimage. Look at all the hits. the hits with the passwords, will have the user name followed by “password” and the actual password in plain text.
2. If the passwords can’t be located then your going to have to use some tools that can crack File Vault. There are a couple of tools that can assist in this. One, well you have to be LE and if you email me, you can get it to you free. George Starcher has also created crowbarDMG.
3. If passwords are not located in either the swapfile or sleep image, there are two other methods to crack file vault.
- Crack the user’s login passwords locate at /private/var/db/shadow/hash
- Crack the KeyChains themselves. ( The keychains are unencrypted except for the passwords themselves. Many items of interest can be located just by using strings.)
- Attack File vault itself.
One possible command line fix, which I haven’t verfied in use with OS X v10.5.8
sudo pmset -a hibernatemode NUMBER
0 – no sleepimage is used, and RAM contents are kept alive.
1 – only sleepimage is used, and RAM contents are purged.
3 – RAM is kept alive and a sleepimage is used when power reaches critical levels.
5 – only sleepimage is used, but with secure virtual memory enabled.
7 – both live RAM and sleepimage are used, but with secure virtual memory enabled.
Apple can fix this and improve the security of OS X.
Credit goes to Johnny Long who originally identified this vunerability 4 years ago.
And to my mentor Thane Erickson, Thanks for your leadership and guidance.