HFS Encryption encryptedboot.plist.wipekey missing

datahaze

Member
I have a case in the shop of a damaged drive which has Apples HFS+ encryption built-in. Unfortunately, the encryptedboot.plist.wipekey is missing from the recovery partition, but we do have the password. From what I understand, this wipekey is needed as it contains information needed to assemble the key. Does anybody know a way to generate this file based on other information on the drive (such as the partition header), or a way to carve for this particular file? I assume this file has a standard structure and it's just a matter of stepping through with hex editor. Anybody have an example file I can use?

Thanks in advance for any help y'all can offer :).

Edit: Turns out this is a fusion drive and we were only given one of the two drives, makes sense why we weren't able to find that file and why we were having issues. Other drive is inbound now, should fix the problem.
 

datahaze

Member
Unfortunately no, it appears whatever sectors in the catalog listed the location of this plist file are unreadable.
 

Jared

Administrator
Staff member
I might be possible to scan for the lost file if there's any sort of unique signature in the file's data. Perhaps it'd be worth checking out a good file of that type.
 

datahaze

Member
Jared":1vlzskot said:
I might be possible to scan for the lost file if there's any sort of unique signature in the file's data. Perhaps it'd be worth checking out a good file of that type.

That's what I'm hoping, though I'm hoping somebody here has an example or knows the signature and I don't have to go out and buy a mac to make it
 
Top