On Linux v.4.0.6. fails to decrypt APFS partition that v.3.17.1 could decrypt - Sleuthkit 4.11.1 issue #1428
Comments
Probably. Could you run above failing command using verbose (-v) output? And could you also try the official sleuthkit-4.11.1 version instead of our fork to be sure the issue is not related to our patches? I would also kindly ask you to try previous sleuthkit versions (4.10, 4.9 and 4.8) to try to find when the issue was introduced. Maybe official sleuthkit never worked with your image... Official APFS support was added to sleuthkit-4.8. Because it took too long, we integrated BlackBag APFS implementation in our sleuthkit-4.6.5 fork before them, that seems to work with your image. The official sleuthkit APFS implementation changed many things, so maybe it never worked with your image, not sure... Testing with TSK 4.10, 4.9 & 4.8 would give us an answer about this. |
|
Anyway, although caused by a dependency, this is a regression in our project. |
|
I will try to test different versions of TSK starting from 4.8 and I'll report back. |
|
Thank you. Could you also try to process the image with 4.0.6 on Windows? |
|
Sure thing! |
|
4.0.6 on Windows10 was able to successfully decrypt the image, tested by launching from the .exe and from the .jar. The Sleuth Kit ver 4.11.1-iped-patch ./fsstat -v -i ewf -o 76806 -B 632365 -b 4096 -f apfs -k password macbook_fv2.E01 tsk_img_open: Type: 64 NumImg: 1 Img1: macbook_fv2.E01 The Sleuth Kit ver 4.6.5-iped-patch04 fsstat -v -i ewf -o 76806 -B 632365 -b 4096 -f apfs -k password macbook_fv2.E01 tsk_img_open: Type: 64 NumImg: 1 Img1: macbook_fv2.E01 FILE SYSTEM INFORMATION |
|
Thank you for the tests.
Have you installed openssl (libssl-dev)? Edit: maybe in TSK building output messages there is some useful info about this. |
apt policy libssl-dev I'll test different versions of TSK and that will give a better idea where the problem is at |
|
Thanks. Could you post all output messages printed while building TSK? PS: We are on a holiday, after I return on Wednesday, I'll try to process an APFS image on Linux. |
|
Happy holiday! I suppose it is hard to stay away from work when you are developing state of the art digital forensics software :P I tested TSK 4.11.1 Windows and Linux versions and the result was the same, they failed to open the image, output also was the same. For the Linux version I used a clean VM. On that Linux VM I also installed TSK 4.11.1-iped_patch and the result was the same. Most likely this is an issue with the Sleuthkit or Sleuthkit not liking that particular image. I have attached logs from configure, make and make install: https://pastebin.com/wDKs4Ydg I also tested the Windows versions of TSK 4.8, 4.9, 4.10 and 4.11.0, none of them were able to open that particular image. I was surprised that IPED 4.0.6 running on Windows was able to decrypt it though. |
|
Thanks for the logs and for all tests. I searched for "ssl" but couldn't find any occurrence. I think the issue could be related to a linking problem to openssl or maybe some #ifdef missing in TSK code or something similar.
Sorry, I forgot to say one feature of our TSK fork is that it supports decrypting APFS volumes with non empty passwords. Official TSK just supports the empty string password. |
lfcnassif
changed the title
|
Hi @reacan, @arisjr is kindly investigating this. He proposed a fix here: sepinf-inc/sleuthkit#1 Could you test if it fixes the issue with your image? |
|
Hello! I can confirm that @arisjr proposed solution works with my image. Thank you! Also I noticed that when launching processing, the "-p" argument has to be called last. At first I had it in between "-d" and "-o" and it did not decrypt the partition. |
|
Thank you for testing! The feature was disabled intentionally by TSK because they weren't able to make automatic tests to work properly, but the feature works, I think that was a very conservative decision... I will take a look at the -p position issue. |
Just tested, worked for me on both positions. One detail, not sure if it was your case, if you pass multiple evidences (multiple -d), you have to put the So, as the fix for the original issue reported was merged in our TSK fork, I'm closing this. Thanks @reacan for reporting and thanks @arisjr for the fix. |
lfcnassif
changed the title
lfcnassif
changed the title
Hello!
I tried to process an image of an encrypted macbook using both v.4.0.3 and v.4.0.6 and both failed to decrypt an APFS partition encrypted with File Vault 2.
It appears to be a Sleuthkit related problem because the old version (4.6.5) can decrypt the partition. I tried reinstalling 4.11.1 by cloning the repo as per the instruction (git clone -b release-4.11.1_iped_patch https://github.com/sepinf-inc/sleuthkit), the installation process completed with no errors, but it still fails to decrypt my image.
Am I missing something or is there an issue with the new version of Sleuthkit? Please let me know if you require some additional information.
fsstat -V
The Sleuth Kit ver 4.11.1-iped-patch
fsstat -i ewf -o 76806 -B 632365 -b 4096 -f apfs -k password macbook_fv2.E01
General file system error (tsk_apfs_open: APFSBtreeNode: invalid object type)
./fsstat -V
The Sleuth Kit ver 4.6.5-iped-patch04
./fsstat -i ewf -o 76806 -B 632365 -b 4096 -f apfs -k password macbook_fv2.E01
FILE SYSTEM INFORMATION
File System Type: APFS
Volume UUID 89e4887f-4cec-3387-9eba-a10a550e5428
APSB Block Number: 632365
APSB oid: 1027
APSB xid: 1715045
Name (Role): Macintosh HD (No specific role)
Capacity Consumed: 45950013440 B
Capacity Reserved: None
Capacity Quota: None
Case Sensitive: No
Encrypted: Yes
Formatted by: hfs_convert (748.67.14)
Created: 2017-06-02 03:25:11.000000000 (EEST)
Changed: 2020-01-31 03:35:16.860098308 (EET)
Encryption Info
Password: password
Password Hint:
KEK (f9e9f823-18b9-471f-9aed-5cb378b66481):
F9 91 48 0C 5D 0B CD A0
EC 47 E3 7F 58 A8 77 DA
DB FB 2D 81 54 19 23 0A
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
Wrapped VEK: FB 10 C0 53 56 78 60 03
F8 C9 A7 A3 38 C0 F6 42
D4 EA 80 2E B0 81 6F 50
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
VEK (AES-XTS-128): 08 2E D5 15 89 75 CF D8 76 47 E4 A0 9B 20 C4 95
C1 D0 68 67 D9 27 F3 03 77 70 1A 17 E7 DB 23 0C
Unmount Logs
Timestamp Log String
The text was updated successfully, but these errors were encountered: