Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

csdiagnose(1) [mojave man page]

csdiagnose(1)						    BSD General Commands Manual 					     csdiagnose(1)

NAME

     csdiagnose -- collect information needed to diagnose CoreStorage volumes

SYNOPSIS

     csdiagnose [-f path] [-h] [-v] [dev ...]

DESCRIPTION

     csdiagnose collects information to help Apple investigate issues related to CoreStorage (File Vault 2, Fusion Drive, File Vault Everywhere,
     etc).  This tool invokes sudo, so you will be asked to authenticate.

     This script requires csgather(1) to be installed in the PATH.

     If dev is not given, all disks in the system will be inspected.  This is the recommended method of invoking csdiagnose.

     Advanced users can provide a list of dev in the form of disk1 or disk1s2.	Only information of the given dev is collected.  To fully collect
     information of a CoreStorage volume, the CoreStorage Physical Volume (i.e., the Apple_CoreStorage partition), the Apple_Boot partition after
     the physical volume, and the Logical Volume published by CoreStorage (which can be found out using the "diskutil cs list" command) should all
     be provided on the command line.

     The following information is collected:

	   1.	OS version.

	   2.	system logs, kernel logs, install logs, filesystem logs, and other useful information for CoreStorage debugging from /var/log.

	   3.	output of "diskutil list".

	   4.	output of "diskutil cs list".

	   5.	output of "mount -t hfs".

	   6.	"csgather -G" of every Apple_CoreStorage partition, which includes the CoreStorage metadata.  If a list of dev is provided, only
		information on the partitions included in the list will be collected.

	   7.	EncryptedRoot.plist of every Apple_Boot partition.  If a list of dev is provided, only information on the partitions included in
		the list will be collected.

	   8.	timestamps of the files relevant to kextcache/kextd.

     The following user information is contained in the collected file:

	   1.	Number and types of disks attached to the system.

	   2.	The volume names, UUIDs, and size of each partition.

	   3.	Encrypted versions of the volume key(s) that unlock the encrypted disk(s) attached to the system.  Refer to csgather(1) for what
		information could leak from the volume key(s).

	   4.	User names, pictures, and password hints for the users.

     No other user information (such as directory structures, file names, file content, etc) is collected.

     The following options are available:

     -h       Show this help information.

     -f path  Specify an output path which will hold the file generated by this script.  By default this will be the user's Desktop folder.  The
	      given path must already exist.

     -v       Verbose mode, which prints every command it invokes.

SEE ALSO

     csgather(1), sysdiagnose(1)

HISTORY

     The csdiagnose utility first appeared along with CoreStorage in OS X 10.10.0.

OS X
								   May 31, 2019 							      OS X

Check Out this Related Man Page

csgather(1)						    BSD General Commands Manual 					       csgather(1)

NAME

     csgather -- Gather CoreStorage metadata for diagnosis

SYNOPSIS

     csgather -G dir device ...
     csgather -r mountPoint [-o filename]

DESCRIPTION

     csgather gathers CoreStorage metadata for diagnosis.  It works in two modes.

     In the first mode where -G and a list of devices are provided, CoreStorage metadata on these list of devices will be collected.  The col-
     lected information includes the size and UUID of the CoreStorage logical and physical volumes, the name of the logical volumes, the wrapped
     (encrypted) volume key (which can only be decrypted by a brute-force attack), user name and user login image file.  No other user information
     (such as directory structure, file names, file content, etc) is collected.

     In the second mode where -r is provided, the encryption context which includes the wrapped volume key (which can only be decrypted by a
     brute-force attack), user name and user login image file will be collected.

     If the wrapped volume key is decrypted by a brute-force attack, the volume key used to encrypt data on CoreStorage Logical Volumes is in the
     clear.  It is not mathematically possible to derive the user's passphrase from the volume key.  The volume key is only useful when the
     attacker has access to the encrypted data in the CoreStorage Logical Volume, which are not collected by csgather.

     The following options are available:

     -G dir	    Gather all CoreStorage metadata and write into the specified directory.  The given directory must not already exist.

     -o filename    Specify the output file generated by the -r option.  If not given, use standard output.

     -r mountPoint  Find out the CoreStorage logical volume identified by the given mount point, and print its encryption context to the file
		    given in the -o option.

SEE ALSO

     csdiagnose(1)

HISTORY

     The csgather utility first appeared along with CoreStorage in OS X 10.10.0.

OS X
								   May 31, 2019 							      OS X
Man Page