I realize it has been a while since I posted on the full blog. I do minor things via twitter. Toss in the holidays, then lots of stuff to start the year = lazy on the blog.
I have been writing my first real program on OSX in Cocoa. A disc image (DMG) dictionary attack tool. It is coming along nicely and once done I will throw it out to the public intended as a free tool to Mac based forensics examiners. I have posted on here before about a shell script to do this. Making the program native in Cocoa means a lot more options etc. Not to mention fun for me to learn.
Filevault is nothing but an encrypted sparseimage disc image file. So in my testing I wanted to see if my tool could crack my own filevault. To do this I needed a reasonably targeted dictionary file. So in a pinch here is a fun way to make a simple attack dictionary.
- Open Terminal
This command shows disc usage and what discs are mounted. Lets say this ipod is actually my other laptop connected via firewire target disc mode. Notice below the root drive is shown and it is is disk0s2.
/dev/disk2s3 117013560 93569848 23443712 80% /Volumes/iPod
- dd if=/dev/rdisk2 | strings > myDictionary.txt
- Wait a good long time if the drive is large. You are streaming the drive level blocks through the strings command to extract all readable ascii strings into a nice text file.
So I used that file for going after the filevault spareimage file from my old laptop using my dictionary attack tool. I got lucky my password was in the strings but not by itself. It was embedded in some other text. I had to find it with grep against myDictionary.txt. It was cached way back in time in the unencrypted space on my hard drive by some third party tool. So without some extra work it would not have actually cracked my filevault. But it sure came close. And from a 40GB old powerbook drive it would have only taken 3 days to run the full myDictionary.txt file against my filevault.