Getting files off a running macbook laptop

Discussion in 'Apple Desktop Hardware/Software' started by sum_1, Oct 17, 2019.

  1. sum_1

    sum_1 Member

    Joined:
    Jun 14, 2002
    Messages:
    390
    Location:
    Sydney
    Hi there, I have a macbook and I need to get access to it to get the files.
    The owner is in hospital, and won't ever be able to give us a password to the device.
    It is currently booted and running, presenting with the login screen.
    I don't know if the disk has full disk encryption, so I'm hesitant to reboot it into recovery mode, as all the disk may no longer be decrypted.
    The mac is running ssh daemon, and file sharing, but I have no accounts or ssh keys to login with.
    For the username, I can see the display name, and I'm 95% certain it's one of two values.
    Any ideas on how to get access? The mac laptop has firewire devices, and the owner works in IT.

    When I open the lid there is a time machine message:
    No Backups for 33 Days
    Connect to a power outlet while your backup disk is available.

    Power is connected, but I don't know if this is the right disk, or if backup is happening or if the computer has to be logged in to start backup.
    [​IMG]

    Any ideas how to proceed? I remember reading years ago about a way to run commands with a specially crafted firewire device, and have plenty of experience in infosec field to attempt this.
     
  2. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    60,568
    Location:
    brisbane
    first thing is first back it up so plug the time machine drive or whatever it was backing up to back in.

    you should be able to remove the password, i just forget how to it's been something like 7 years since i touched a mac in recovery mode.
     
  3. OP
    OP
    sum_1

    sum_1 Member

    Joined:
    Jun 14, 2002
    Messages:
    390
    Location:
    Sydney
    I'm not sure which (if any) is the time machine drive and whether or not that screenshot indicates that the correct or incorrect drive is connected.
    I'm also not sure if the backup begins to the drive without unlocking.

    I cannot remove password by rebooting to recovery mode, as it may have filevault full disk encryption enabled.
     
  4. sammy_b0i

    sammy_b0i Laugh it up, fuzzball!

    Joined:
    Jun 29, 2005
    Messages:
    3,651
    Location:
    ACT 2913
    You used to be able to go into recovery mode and blank it out, but doesn't work like that any more on the newer ones.
     
  5. damo13579

    damo13579 Member

    Joined:
    Oct 21, 2008
    Messages:
    1,197
    Location:
    Tasmani
    password is an easy fix if filevault is off. you're pretty well stuck if its on though.

    if its showing it hasn't backed up for 30 days then atleast you know its backed up at some point, maybe check external drives for a time machine backup, might have the files you need.
     
  6. OP
    OP
    sum_1

    sum_1 Member

    Joined:
    Jun 14, 2002
    Messages:
    390
    Location:
    Sydney
    So to loop back to this, I found a backup disk, pulled the ssh key off there, which thankfully was in authorized_keys and was able to ssh in. I don't have root / password reset, but at least I can ssh in, fire up the latest backup with tmutil, and copy files off the backup drive.
     
    mooboyj and sammy_b0i like this.

Share This Page

Advertisement: