Saturday, January 9, 2021

  ps -eo pid,ppid,user,command


Use ps without cpu time to perform a diff between ps runs.  This allows you to find processes started or stopped between runs.

Sunday, January 3, 2021

To run dd or ddrescue on an encrypted APFS drive you should remember that APFS volumes first have to be unlocked and then decrypted.  Unlocking them automatically mounts them.  Once mounted then you need to decrypt them.


Boot the mac from an external drive (use an SSD for speed).  I used a SABRENT USB3 enclosure.

Once booted up with the external MacOS instance, identify the internal drive which needs to be decrypted with the following command:

diskutil apfs list


Container disk1 45DA114F-7418-41B9-ACF0-F965CC48E8B4

|   ====================================================

|   APFS Container Reference:     disk1

|   Size (Capacity Ceiling):      500068036608 B (500.1 GB)

|   Capacity In Use By Volumes:   249342025728 B (249.3 GB) (49.9% used)

|   Capacity Not Allocated:       250726010880 B (250.7 GB) (50.1% free)

|   |

|   +-< Physical Store disk0s2 76998992-D9B0-4CAF-AF06-8E44EBF91F5B

|   |   -----------------------------------------------------------

|   |   APFS Physical Store Disk:   disk0s2

|   |   Size:                       500068036608 B (500.1 GB)

|   |

|   +-> Volume disk1s1 035E01AA-7321-3A41-9479-22DF47E45B7E

|   |   ---------------------------------------------------

|   |   APFS Volume Disk (Role):   disk1s1 (No specific role)

|   |   Name:                      APPLE SSD SM512E Media (Case-insensitive)

|   |   Mount Point:               /Volumes/APPLE SSD SM512E Media

|   |   Capacity Consumed:         247547052032 B (247.5 GB)

|   |   FileVault:                 Yes (locked)


sh-3.2# diskutil apfs unlockVolume /dev/disk1s1 

Passphrase:

Unlocking any cryptographic user on APFS Volume disk1s1

Unlocked and mounted APFS Volume


Find out valid users


sh-3.2# diskutil apfs listkeys disk1s1

Cryptographic users for disk1s1 (4 found)

|

+-- EC1C2AD9-B618-4ED6-BD8D-50F361C27507

|   Type: iCloud Recovery User

|

+-- 64C0C6EB-0000-11AA-AA11-00306543ECAC

|   Type: iCloud Recovery External Key

|

+-- 6AAC510E-AE1F-417A-B739-8687BD5D2023

|   Type: Local Open Directory User

|

+-- 223300DE-012D-4D48-A458-102F94617E62

    Type: Local Open Directory User


Pick a user and use the UUID as the argument for -user:


sh-3.2# diskutil apfs decryptVolume /dev/disk1s1 -user 6AAC510E-AE1F-417A-B739-8687BD5D2023 

Passphrase for existing user 6AAC510E-AE1F-417A-B739-8687BD5D2023: ****************

Starting background decryption of disk1s1 using crypto user 6AAC510E-AE1F-417A-B739-8687BD5D2023 as authorization

Background decryption is ongoing; see "diskutil apfs list" to see progress


sh-3.2# diskutil apfs list |grep Unlocked

|   |   Decryption Progress:       44.0% (Unlocked)



Notes:

ddrescue seems to be faster than dd

If you are examining a SDCARD, use a USB3 adapter and not the native Flashcard reader.  The native reader seems to be USB2.0