Drive Badger is able to automatically detect and decrypt Apple FileVault-encrypted APFS partitions, using either user password, or recovery key.

See keys-filevault-demo repository. It contains a sample filevault.keys file.

You can configure multiple such repositories - each such repository should:

• be cloned to /opt/drivebadger/config/keys-filevault-yourchosenname local directory on your Drive Badger persistent partition
• contain filevault.keys file with proper contents (see below)

Local directory doesn't need to contain .git subdirectory, in fact it can be just "floating" directory (created by hand or script, without repository). However if it does, then you can update it automatically using /opt/drivebadger/update.sh (in just 1 step for all repositories).

If you have decryption keys associated (directly or indirectly) with particular drive serial numbers, you can save such keys in keys directory.

If you have any additional useful information about particular keys, allowing you to split them in some way (eg. into cities, buildings, floors, company departments, employee specialties) into smaller groups, you can try:

• split them into separate repositories
• configure these repositories across many Drive Badger devices, according to your attack plan

filevault.keys file can contain:

• FileVault recovery keys or user passwords, one per line
• comments starting from # sign (without leading spaces)
• empty lines

Example filevault.keys file:

# macbook pro, recovery key
ABCD-1234-5678-90AB-CDEF-1234

# mac mini, user password
MyFancyPassword

APFS partition has different structure than most other partition types: it has multiple separate filesystems (usually 4 or 5) stored as single partition, with a single UUID. All these filesystems are then mounted and seen as consecutive layers of the same logic filesystem. Drive Badger tries to exfiltrate only 1 or 2 of such filesystems: those containing user data.

Similar to other partition types (except only Bitlocker), APFS partitions are detected by systemd/udevd during system boot phase. Drive Badger relies on that, and just iterates over all detected partition UUIDs, trying to mount and exfiltrate them one by one. For APFS this behavior is however a bit different:

• first it gets the list of internal filesystems (only ones with user data)
• then it iterates over them, trying to mount each one:
  • first without password
  • then checking user passwords or recovery keys from filevault.keys files

When a matching key is found, it's saved in keys directory - so it can be easily reused.