Hacking password of a MacBook of a deceased person

wra18th

wra18th

[H]F Junkie
Joined
Nov 11, 2009
Messages
8,492
My dear friend's daughter died in a car accident a year ago. Her name was Samantha and she had a password on her MacBook. Her mom wants me to try to hack the password on the machine so that she can give it to her other daughter.

The mother is afraid to take it to Apple and have them do it because Samantha was very secretive and wouldn't let anyone touch or look at her MacBook. Mom thinks that there may be files/pics/videos that others shouldn't see. As a matter of fact, I can only try to hack the password in her presence so that even I can't see what's there before her.

Can any of you Mac guys help me out? I know how to this on on a Windows machine but my experience with Macs is very limited.
 
My Mac-Fu is very limited, but I guess the password is stored in icloud. I assume you could restore the password to her cellphone assuming its unlocked.
 
Can you just replace the hard drive? The lock is applied to the image on the hard drive. Not the MacBook itself —- as far as I know.

There is a an older FireWire vulnerability that might be applicable, but it’s not a simple thing and it was mitigated by a patch - so it may be N/A anyway.

Here’s some more info on options.

https://blog.elcomsoft.com/2016/07/mac-os-forensics-attacking-filevault-2/
 
Last edited:
Is your goal to recover the data, or to not? If you don't care about the data, and you're just trying to give it to the other daughter, just wiping it through the same process done in windows is enough (basically you can boot into a "reinstall macOS" mode that formats and reinstalls macOS onto the drive).
https://support.apple.com/en-us/ht204904
Replacing the HD of course has the same effect, but I'll assume this is a later Macbook Pro using a chip based PCIE SSD and not a standard 2.5" HD, making it costly at best to replace. As Apple uses a proprietary SSD, getting replacements is annoying as they can't simply be purchased through Newegg. Likely they'll have to be sourced through eBay and you'll just have to hope the seller got the model year right and isn't otherwise trying to screw you.

If you're trying to recover the data, then that's another bag of worms. If the drive is encrypted then basically you have zero hope short of professionals and tens of thousands of dollars. I don't know how many brute force attack preventions Firevault has built into it, but even if it has zero, a 16 digit password would take likely decades to crack. Being able to do a dictionary attack or having access to previously known passwords would help a lot.
https://www.betterbuys.com/estimating-password-cracking-times/

If the drive isn't encrypted using Firevault, the simplest method would be to remove the hard drive and place it into another working machine that has its own boot drive. Then simply just take whatever data you want and dump the rest.

Also, her moms paranoia isn't going to be useful at all. If you are going to have to sit around and grind through this stuff, then she's gonna have to be around for likely days if not years or decades. Granted moms in general as well as grieving people aren't rational. But I suppose it will be a mild form of entertainment to see how long she's willing to sit around and look over the proverbial shoulder of a computer just sitting there dumping in passwords over and over.
I suppose it also does come down to "trust". But if she herself doesn't already know whats on there and her daughter prevented her from knowing, then she's basically playing the mom card to justify being just as snoopy as anyone else would be when looking at a locked laptop. Not that you'll be able to tell her that though without her getting incredibly pissed off.

In all likely hood there won't be anything unusual. Some people are just incredibly private. If you're into Enneagrams, Samantha was likely a 5 with possible wing 6 or a 6 with absolute wing 5.. Or possibly an INTJ if you're into Meyers-Briggs. It's far less likely that she was a government spy or has a massive collection of selfie-nudes that no one else knows about (as generally for that sort of thing there'd be a receiving party. Or in the case of the government, people trying to collect the laptop). Generally speaking this sort of stuff just falls in to Occam's Razor.
 
Last edited:
UnknownSouljer said:
Is your goal to recover the data, or to not? If you don't care about the data, and you're just trying to give it to the other daughter, just wiping it through the same process done in windows is enough (basically you can boot into a "reinstall macOS" mode that formats and reinstalls macOS onto the drive).
https://support.apple.com/en-us/ht204904
Replacing the HD of course has the same effect, but I'll assume this is a later Macbook Pro using a chip based PCIE SSD and not a standard 2.5" HD, making it costly at best to replace. As Apple uses a proprietary SSD, getting replacements is annoying as they can't simply be purchased through Newegg. Likely they'll have to be sourced through eBay and you'll just have to hope the seller got the model year right and isn't otherwise trying to screw you.

If you're trying to recover the data, then that's another bag of worms. If the drive is encrypted then basically you have zero hope short of professionals and tens of thousands of dollars. I don't know how many brute force attack preventions Firevault has built into it, but even if it has zero, a 16 digit password would take likely decades to crack. Being able to do a dictionary attack or having access to previously known passwords would help a lot.
https://www.betterbuys.com/estimating-password-cracking-times/

If the drive isn't encrypted using Firevault, the simplest method would be to remove the hard drive and place it into another working machine that has its own boot drive. Then simply just take whatever data you want and dump the rest.

Also, her moms paranoia isn't going to be useful at all. If you are going to have to sit around and grind through this stuff, then she's gonna have to be around for likely days if not years or decades. Granted moms in general as well as grieving people aren't rational. But I suppose it will be a mild form of entertainment to see how long she's willing to sit around and look over the proverbial shoulder of a computer just sitting there dumping in passwords over and over.
I suppose it also does come down to "trust". But if she herself doesn't already know whats on there and her daughter prevented her from knowing, then she's basically playing the mom card to justify being just as snoopy as anyone else would be when looking at a locked laptop. Not that you'll be able to tell her that though without her getting incredibly pissed off.

In all likely hood there won't be anything unusual. Some people are just incredibly private. If you're into Enneagrams, Samantha was likely a 5 with possible wing 6 or a 6 with absolute wing 5.. Or possibly an INTJ if you're into Meyers-Briggs. It's far less likely that she was a government spy or has a massive collection of selfie-nudes that no one else knows about (as generally for that sort of thing there'd be a receiving party. Or in the case of the government, people trying to collect the laptop). Generally speaking this sort of stuff just falls in to Occam's Razor.
Click to expand...

Just talked to the mother. She wants to talk to the other daughter to see if losing the data is an option. This is a 2015 Macbook Pro. No one knows Samantha's Apple ID or password. There are tiny torque screws underneath it but I'm pretty sure it's a SSD drive inside. I've got a lot of reading to do now.

One quick question. If I don't format the drive, will the files still be there like in Windows.old?
 
I think UnkownSouljer's advice is pretty much spot on with a few minor caveats:

There are plenty of places to find aftermarket (and OE) SSD replacements for modern Macs. You won't have to rely on eBay and luck to replace the drive if that's the option you choose.

There are also a few easier ways to get inside the computer other than removing the drive and using it on another Mac. One of them is to simply install OS X right alongside the current installation. Alternatively, you can take an install from another computer and literally run it from a USB enclosure as a live install (you can also use a Live version of linux to get to the same goal but there's no reason now that Apple stores all you need to format a drive, download the most current OS, and do a bare metal install). So to be clear: you can take a USB hard drive, clone the current OS X install on her computer over to it, clone another OS X install to it, or just use a clean install, and then hold Option key down during boot and instruct the MacBook to use that USB drive and it will operate from it as if it was internal.

You can then mount the primary (password protected) drive and modify the account privileges and add new users, etc. using your admin credentials within your current session.

Not to put too fine a point on this, but both of these replies are assuming your information is on the up and up. What I mean to say is we really have no idea if you are authorized tech for this computer and we've essentially given you the basic instruction set to hack someone's device. Samantha may in fact be dead and her mother may in fact be making this request. My personal advice is to have a frank conversation with the mom about what a fair amount of us would suggest is the only ethical course of action (and also path of least resistance from a sysadmin perspective)--blow the current install away and start fresh. It's going to be emotionally painful that only time can heal but sifting through a dead relative's information device is highly personal, violation of trust, and isn't going to provide the healing this family wants and believes it might provide. What if she does find something that hurts the mom? No good can come from this, in my opinion. I also ran this last paragraph by my wife, who is a licensed mental health practitioner (who also specializes in grief counseling), and she agreed the basic gist of what I wrote is how she'd approach the issue, as well. Trying to be helpful, not antagonistic, hopefully it comes across as intended. I had this exact scenario about two weeks ago with my grandmother's computer. I tried unsuccessfully to get into the computer and gave it a good few hours thought as to who and what I would do to get into it until I finally made an executive decision to start fresh. I wasn't about to burden my grandfather or my dad about any of this.

Two other things to consider: Apple is often willing to provide these kinds of services at an Apple store for no charge (especially given the circumstances). I don't know what they would or wouldn't do, but a minimum they'd wipe and install the OS for you if the mom is willing to go down that path. Perhaps your role is better spent in dear friend and shoulder to cry on while the technicians do their thing at the Apple bar in front of both of you (the data won't even be accessible to them or anyone during this process). The other thing is that the iCloud account is accessible with appropriate legal documentation verifying the death and guardianship issues. That might be important for passwords but also because presumably the younger daughter could benefit from the library on Samantha's account.
 
wra18th said:
One quick question. If I don't format the drive, will the files still be there like in Windows.old?
Click to expand...
Do you have experience with linux? Reinstalling OS X over a current install is like reinstalling over a linux or MS install: the personal files will remain (not like Windows.old, more like /home in linux or User in Windows). There won't be an OS X.old folder anywhere since the older install will be overwritten.

If you do a side by side installation, or a target mode access like previously described, the entire file system will be available.

Keep in mind what we're describing to you, though. The iCloud account has a password. That will be impossible for you to retrieve (even Apple doesn't have it), but they might be willing to reset the account so you can access the data. The computer itself has a password, which might or might not be the iCloud password (like Windows 10, you can have a local password or cloud based account authorization). Both of these passwords can be two factor, now. And without her iPhone, unless there's an authorized iPad lying around, you won't be able to get into them either via normal means.

Once you bypass either of those kinds of passwords you'll be in the file system free and clear.

However, there is a separate encryption option that is not enabled by default. I am referring to FileVault, which can do entire disk encryption or simple file encryption and range from nothing to everything. Without a recovery key you won't be able to access the files at all using normal means. That's what will take the tens of thousands of dollars of data recovery, not just getting into the operation system. I would be surprised if she set that up. It doesn't have a huge presence in the OS and is there for those of us who need and/or want it. So unless she was hyper sensitive to security risks and also tech savvy, the chances of that being all set up correctly are probably slim to none.
 
Thanks for the advice, everyone. Let's see what the mother wants to do now.
 
just wipe it

you will still need an icloud account if i recall correctly. have mom call apple and tell em whats up so they can reset the account
 
mope54 said:
Wiping and re-installing will not require her Apple ID.
Click to expand...

Correct. Not sure why we're still yapping about it. This isn't iCloud lock. Doesn't work the same way. (Although that tech is coming to future Apple devices, as shown in the iMac Pro, in which a secure enclave prevents usage of the computer at the hardware level, however that is currently the only machine with that implementation).
 
Archaea said:
Can you just replace the hard drive? The lock is applied to the image on the hard drive. Not the MacBook itself —- as far as I know.

There is a an older FireWire vulnerability that might be applicable, but it’s not a simple thing and it was mitigated by a patch - so it may be N/A anyway.

Here’s some more info on options.

https://blog.elcomsoft.com/2016/07/mac-os-forensics-attacking-filevault-2/
Click to expand...


No need to replace the drive. Assuming that it's OK to lose the data, simply boot the Mac into recovery mode, erase the drive, and reinstall the OS.
 
BlueLineSwinger said:
No need to replace the drive. Assuming that it's OK to lose the data, simply boot the Mac into recovery mode, erase the drive, and reinstall the OS.
Click to expand...
Good point.

Replacing the drive however gives them the option of trying to recover the data at a later date. Perhaps after a vulnerability is discovered that allows for easier access. I do agree however that it’d be best to not snoop and just delete in honor of the daughter’s privacy. As mope54 stated, I’m not sure much good would come of it.
 
What BlueLineSwinger said +1

I dug up my old macbook air (2013) a few days ago and couldn't remember shit about the logins and whatnot. Just did the recovery mode + reinstalled the OS - which wiped everything and started fresh. No point trying to guess both the ID and the password.
 
Thank you guys for the help. Mom and sister still don't know if they are willing to loose the data. Data that they assume may be there.They're now thinking of taking it over to Apple. But without an Apple ID they're not going to get anywhere.

Let's see where this goes.......
 
Have you determined yet whether the drive is encrypted via filevault? If you boot into recovery mode and run Disk Utility it'll tell you. This is non-destructive.
 
If you're going to go into recovery you might as well reset the password if this method works on her hardware and software version:

With the MacBook off, hold Command+R and press the power button.
Continue holding Command+R until you hear the startup chime.
This will take you into Recovery and you should see Disk Utility.
Click on Disk Utility, then click on the partition you want access to, then look at the description to see if it is encrypted with FileVault (click on Info to see more details).
If it is not encrypted, then click on Utilities (toolbar top of the screen) and select Terminal.
Type resetpassword in Terminal and follow the prompts.
 
I was able reset the passwords but now I need a keychain password. What's next?
 
Reset the keychain. Are you in OS X or Recovery?

Just hand the MacBook to mom and reboot it. She'll be able to log in with the reset password and access the files now.
 
I got in. I reset the keychain as you stated. I can't believe how simple it was to do. Didn't even need a live CD. You don't know how happy I am to have been able to do this. Mom and sister have the laptop.

upload_2018-7-7_14-54-44.png
upload_2018-7-7_14-54-44.png
upload_2018-7-7_14-54-44.png


Thank you guys so much for the help!!!!!!!!
 
You must log in or register to reply here.
Back
Top