crowbarPGP – Version 1.0.1

I have finally released my crowbarPGP Cocoa application.  Included in the Install DMG you can download below is a folder called Extras.  I put several OSX Automators in it that I have found useful or mentioned in other blog posts.  You can edit them in Automator to see how they work.

I also added a new preference that lets you choose not to growl notify the found password while still getting a notification.  Soon I will add that to the other crowbar apps.  I also finally fixed the code to automatically ignore the carriage return character that comes from dictionary files originating on the Windows OS.  This too I will shortly add to the other crowbar apps and release through the auto updates mechanism.

crowbarPGP is a dictionary attack tool for cracking PGP ( Whole Disk Encryption and PGD virtual PGP Disk files.  It requires 10.5 or 10.6 OSX.  One key thing. I included the PGD attack feature.  However I found a memory leak in the pgpdisk command last year.  I informed PGP of it and provided them the backup material.  Unfortunately my contact is no longer with PGP and the memory leak is still there in the recent v10.0 PGP for Mac OSX.  So I strongly suggest you do not use that feature until they patch it.  When they do I will post a blog update and likely do a small version increment to the program through the automatic updates feature.

Thanks again to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks as well to the following code and frameworks:

crowbarPGP - Download

Tutorial – Quartz Composer and Image Units in Xcode

I gave myself a crash course this weekend.  I mainly wanted to be able to make plugins for fun in Pixelmator.  But turns out you can use things in iChat and Photobooth live.  It was a bit of a fun uphill battle to actually figure out a repeatable process.  So I wrote one.  You can download my Image Units Tutorial in PDF.

I cover Prototyping in Quartz Composer, moving it to an Image Unit and compile it in Xcode.  I toss in how to add a user input and even found a blog post on the Internet on how to ensure your IU puts out an image with defined dimensions.



Cracking Filevault – vfcrack compiling on OSX

This morning I woke up a bit early in the mood to see if I could improve crowbarDMG.  I had always intended to look at the OpenCiphers project code as a replacement to my own internal password test code.  Their vfcrack code is MUCH faster than my current code.  It would just be nice to have the gui and the progress saving ability of my crowbarDMG application.

I downloaded the vfcrack and went to compile it.  Of course it had to be a pain. I would run make and get the following error.

ld: symbol(s) not found
collect2: ld returned 1 exit status
make: *** [vfcrack] Error 1

After poking around I found a fix.  Just edit the Makefile and add -lcrypto after -lssl on the LDFLAGS line.  Then just run make again.

Now the program successfully compiles.  The next hurdle is I can’t seem to get it to actually succeed in cracking a DMG test file.  So it isn’t worth changing my program till I see this code actually crack something.  I should also add I am on 10.5.7 in case that has an effect on their code.  I am testing their provided dict against their provided dmg file using my crowbarDMG as a sanity check.


Found that my crowbar app was looking like it was testing the passwords properly from their dictionary file.  Turns out their file was in windows format with end of line CR+LF.  I was just stripping off the LF.  So now I have fixed my code and should publish updates to the auto update feeds soon for both crowbarDMG and crowbarKC.

I still can’t get a successful crack from their routine.


Mac Logs – Quick Check

This isn’t something major.  But it was part of my initial playing around for checking if the clock had been rolled back.  I made this automator to see if there were any signs in system.log files of backwards date jumps.  Granted this is a real simple check.  It only looks for where the day number changes from the previous line.  Effectively showing if entries start showing up in the log files out of sequence.  I did not get into the much more troublesome checks for the month name or timestamp.  I just went after the day number.

You may need to run the archived logs from /var/log through bunzip first.  Then just examine each one in turn.  You can see the automator if you click more.  But the main snippet of code is a run script action.  It is just an awk statement.

awk ‘
$2 != prev
{diff=int(prev)-int($2); prev=$2}

Continue reading “Mac Logs – Quick Check”


Mac Forensics – Did he roll the clock back?

A week ago I was contacted by a gentleman on a mac forensics issue.   Here is the scenario.  His son is a college student in a liberal arts degree.  The student is not particularly tech savy.  He had an A average in class participation and a B average for work to date in the class.  The student had a paper to turn in, wrote it, attached it and emailed it to his professor.  The grade that came back was an F for an incomplete paper.  He had accidently attached a previous version to the email for turn in.  Upon telling the instructor the accusation was made that he rolled back the clock on his laptop to make the finished paper.  The father wants to prove his son did not roll back the clock.  The school is supposedly open to review of the grade if proof can be presented.

Here is what I put together for the father.  It is a pair of automator actions.  Read on to see what I did.

Continue reading “Mac Forensics – Did he roll the clock back?”


crowbarKC-Version 1.0

I decided to make a quick version of crowbarDMG that works on OSX Keychain files.  So here you go.  Right now in v1.0 it only works exactly as crowbarDMG does and finds the main unlock password.  It is a good deal faster testing keychain files than disc images.   Like crowbarDMG it is Leopard only.  I am looking out a way to dump the contents of a keychain once it unlocks.  If I can come up with a good solution I will release an update via the auto update mechanism.

Thanks to the following code and frameworks: 


crowbarDMG – Version 1.0

Well here we are.  Finally, my very first full Cocoa program. One that does not come from a book.

crowbarDMG is a dictionary attack tool for DMG and Spareimage files for Macs.  It does require 10.5 Leopard.  It really wasn’t worth the trouble to redo things to work on Tiger.  It is completely free, so enjoy.  Be sure to read the included PDF readme file.  I address an issue if you use strings to pull out a dictionary from a disc image.  Some control characters need to be scrubbed else it will crash crowbarDMG.  Give it a shot if you need to recover a password for a dmg or filevault file.

*UPDATE* – Please make sure to run Check for Updates to obtain the latest build.  I have released v1.0.1 that implements garbage collection to help prevent memory leaks for long duration projects.

Thanks to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks to Big Nerd Ranch for the fun bootcamp last October.  I would have never had the time to get up to speed on Xcode and ObjectiveC purely on my own.

Thanks as well to the following code and frameworks:

crowbarDMG – Download

Xcode – NSTextField populate Tool Tip

I was doing some experimentation this week. Someone recommended a feature in my soon to be released disc image dictionary attack tool.  

I display the file path in an NSTextField.  And it is possible that path could end up longer than the field displays.   So they recommended I populate the Tool Tip popup with the contents of the text field.

I found that took two things in my case.

First I had to make the Tool Tip populate when a user selected the file from the open dialog box. That is easy enough.  We just call setToolTip method for the TextField. 

[projectPathField setToolTip:[self filePath]];

Now the tricky part.  That sets the tool tip when I first get the filePath.  But now if the field is editable you want the tool tip to keep up with the contents of the field.  I added the following method with one line of code to my AppController class.  Then I just made sure to set my AppController object as Delegate of the NSTextField in Interface Builder.  Now the tool tip stays in sync as someone types in the text field.


– (void)controlTextDidChange:(NSNotification *)aNotification


[[aNotification object] setToolTip:[[aNotification object] stringValue]];