Extract hash from raw disk image

Question

Extract hash from raw disk image

Closed this issue 6 years ago · 5 comments

I'm doing a forensic exame on a disk. I have a raw image:

root@myserver:/# fdisk -l /media/root/HD/1A.raw.001
Disk /media/root/HD/1A.raw.001: 233.8 GiB, 251000193024 bytes, 490234752 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt

Device                                  Start       End   Sectors   Size Type
/media/root/HD/1A.raw.001p1        40    409639    409600   200M EFI System
/media/root/HD/1A.raw.001p2    409640 488965175 488555536   233G Apple Core storage
/media/root/HD/1A.raw.001p3 488965176 490234711   1269536 619.9M Apple boot

How to extracts the hashes from disk? What is the right offset?
I tried with:

root@myserver:/# fvdeinfo -v -o 488965176 /media/root/HD/1A.raw.001
fvdeinfo 20180505

Unable to open: /media/root/HD/1A.raw.001.
libcthreads_read_write_lock_grab_for_write: unable to lock read/write lock for write with error: Deadlock condition detected.
libfvde_volume_open_read: unable to grab read/write lock for writing.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Any help would be appreciated

Answer 1 · 2018-08-12T08:16:56.000Z

How to extracts the hashes from disk?

Unclear to me what you mean with this.

fvdeinfo 20180505

Try using the last pre-release 20180108 instead. The error you provided looks like there might be an issue with acquiring a thread lock in the under development (20180505) version

Answer 2 · 2018-08-12T08:50:21.000Z

Ok thanks. I will try.
Anyway i'm trying to extract hash of key of encrypted disk: https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/README.FileVault2

Answer 3 · 2018-08-12T12:48:04.000Z

root@myserver:~/libfvde-20180108# fvdeinfo -v /media/root/HD/1A.raw.001
fvdeinfo 20180108

Unable to open: /media/root/HD/1A.raw.001.
libcthreads_read_write_lock_grab_for_write: unable to lock read/write lock for write with error: Argument list too long
libfvde_volume_open_read: unable to grab read/write lock for writing.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Answer 4 · 2018-08-12T13:31:08.000Z

Could you attach your config.log and last part of the output of configure

Answer 5 · 2018-08-22T08:39:44.000Z

Fixed with binary on ubuntu. Thanks