Decrypting FileVault disk

Top  Previous  Next

EPB allows you to decrypt the OS X disk image or its system partition encrypted by FileVault.

 

The following formats of disk images are supported:

.dd

.dmg

EnCase.E01

 

The decrypted disk is saved on the computer in the raw (.dd) format and can then be viewed using the corresponding third party tools.

 

To decrypt the FileVault disk, do the following:

 

1. On the Apple tab in the Tools menu, click Decrypt FileVault disk.

Apple-Tools

2. Specify the path to the disk image and the path to the location in which the decrypted image must be saved.

3. Click Process. The program will check whether there is enough free space to store the decrypted image.

4. If the disk image contains two or more partitions, select the partition to be decrypted in the Encrypted partition drop-down list.
   By default, the first partition in the list is displayed.

Partition choice

5. Click Process for the second time.

6. When the Apple ID is displayed, enter the password for it and then click Decrypt.

  NOTE: Token authentication is not supported in the current version of the program.

NOTE: If the Apple ID is protected with two-factor authentication, you need to confirm sending the verification code to all of your trusted devices or to your phone.

Decrypt_credentials_disk

You can select the Save credentials for future use option when logging in so that you don't need to enter them when you log in with this Apple ID again.

7. If the Apple ID is protected with two-step verification, verify your account by selecting one of the following authentication types:

Secure Code: in the Trusted device field, select a phone number or a trusted device to which the code will be sent, click Get code, and then enter the received 4-digit code in the Secure code field.

Recovery Key: enter a 14-character key generated defined in the Apple account settings.

8. Click Verify.

decrypt file vault 2

9. If the Apple ID is protected with two-factor authentication, perform authentication in one of the following ways:

Select Trusted Device and enter the 6-digit code in the Verification code field. Click Resend code for the verification code to be sent to all trusted devices.

Select Text message and enter the 6-digit code in the Verification code field. Click Send code for the verification code to be sent as a text message to the selected trusted phone number. Click Resend code for it to be sent again.

NOTE: iCloud for Windows 4.0 and higher must be installed for sending text messages.

NOTE: OS X 10.11 and higher is required for sending text messages.

Select Code generator and enter the 6-digit code in the Verification code field. The code is generated on the trusted device or via Cloud Panel.

2fa_decrypt

10. Click Verify.

11. EPB retrieves the decryption key.

12. As soon as the key is retrieved, the disk decryption begins.

decrypting file vault

 

13. When the disk is decrypted, click the orange eye icon to open the folder to which the decrypted disk was saved.

disk decrypted

 

14. The name of the decrypted disk is <original_disk_name>_decr.dd.

 

 


 Get more information about Elcomsoft Phone Breaker
 Get full version of Elcomsoft Phone Breaker (Windows)
 Get full version of Elcomsoft Phone Breaker (Mac)

 © 2017 ElcomSoft Co.Ltd.