Year of Python (YOP) – Week 11


Hello reader!

This week I’m changing gears a bit.  This week I’ve been playing around with kicking off other programs using Python.  So I did some reading about the subprocess module.

On a few occasions I’ve had to work with drive images from OS X systems.  And a lot of them have been encrypted with File Vault (which is a good practice).  However most forensic tools can not decrypt FV images, which means we need to find an alternate method of getting the image to a “readable” state.  Enter libfvde….

libfvde ( is a set of “library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes,” created by Joachim Metz.  The library currently doesn’t have python bindings, but it is on Joachim’s TODO list.

The critical component with using libfvde is having the File Vault Recovery Key from the system.  Unfortunately you only have the opportunity to record the Recovery Key when you kick off the encryption process.  The key is not recorded anywhere on the system.  The key is six sets of four alphanumeric characters (ex: 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG).

So what happens if you don’t have the recovery key?

That’s what this weeks script is designed to do, brute force the Recovery Key to get the encrypted image mounted with fvdemount (the program that actually mounts the image on to the system).

Now the key to this program is the following code:

def fvde_key():
    chars = string.letters.upper() + string.digits
    pwdSize = 4
    key_attempt = ''.join((random.choice(chars)) for x in range(pwdSize))
    return key_attempt

This is the part of the code that generates the random 4 character string to use in the larger recovery key code.

Then, we need to assemble the entire recovery key from this function, which is done with this line of code:

decryption_key = "-".join([fvde_key(),fvde_key(),fvde_key(),fvde_key(),fvde_key(),fvde_key()])

The rest of the code goes through a loop which generates a decryption key, and then plugs in into a command line program to try and mount the file vault image.  If it is successful, it mounts the image and prints out what the correct recovery key was.  If it fails, it simply tries a new code.

Mind you this code is not optimized for any type of speed or performance….

Until next week!


No Responses Yet to “Year of Python (YOP) – Week 11”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: