I forgot the new password to my external hard drive (Mac OS Extended Journal Encrypted). I know. Stupid.
I got my hands on John the Ripper and I know some parameters that will help narrow down the possible passwords. I just have no idea what file I'm supposed to tell john the ripper (or any brute force program) to attack.
My question: What location do I ask my brute force password cracker to target?
Best Answer
There is no file where an encrypted image of your external disk password is stored. Not on the internal disk nor on your external disk.
You don't have an encrypted password to feed John the Ripper.
When your external disk is mounted, your external disk password is in memory because it is heavily used to crypt and decrypt your data.
If your external disk is correctly mounted, and if you have a FireWire port, then Passware can get this in memory (RAM) password.
See here the article from NakedSecurity @ Sophos best describing this technic of RAM searching. The term of exploit to describe this technic is usual media overkill.