Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
FileVault
File Vault is the MacOS X 10.4 and 10.5 technology that encrypts a user's Home folder with 128 bit AES encryption, on the fly, such that it is nearly impossible to see the contents once a machine has been shut down. Because of this, it is very important that you consider what to do with a running Macintosh when you are the first responder. If you "yank" the plug and head out with your properly seized computer, you may have seized a bunch of digital garbage if you can't figure out a way to break the password. This page is not going to try and teach you decryption methods. (That is the job of Spartan in the Files section)
When you approach a running Macintosh, consider copying the contents of the user's Home folder if FileVault is enabled. It is easy to tell if it is enabled by the Home icon being used in the Finder window. If the "House" shows a combination lock on it, you have File Vault enabled.
Also, you may have other users on the system currently logged in that have File Vault in use.
In Leopard, a user's home directory is encrypted to a special series of files called a "sparsebundle". In Tiger, a user's home directory is encrypted to a flat file called a "sparseimage". If you are extremely interested in learning more about these files, start by reading the "man" page for "hdiutil". It actually gives a good, although short, description of what a sparsebundle is. Next, you need to visit the Apple Developer website where the technical discussion will jump up quickly.
Added to the Files section is an application to try a dictionary attack against a FileVault "sparebundle" or "sparseimage". The application, Spartan, will ask for a dictionary file and then ask for a Filevault image file. Have fun, and have patience! A dictionary attack on an encrypted file takes a very long time!
Read more about FileVault and Time Machine here.
File Vault is the MacOS X 10.4 and 10.5 technology that encrypts a user's Home folder with 128 bit AES encryption, on the fly, such that it is nearly impossible to see the contents once a machine has been shut down. Because of this, it is very important that you consider what to do with a running Macintosh when you are the first responder. If you "yank" the plug and head out with your properly seized computer, you may have seized a bunch of digital garbage if you can't figure out a way to break the password. This page is not going to try and teach you decryption methods. (That is the job of Spartan in the Files section)
When you approach a running Macintosh, consider copying the contents of the user's Home folder if FileVault is enabled. It is easy to tell if it is enabled by the Home icon being used in the Finder window. If the "House" shows a combination lock on it, you have File Vault enabled.
Also, you may have other users on the system currently logged in that have File Vault in use.
In Leopard, a user's home directory is encrypted to a special series of files called a "sparsebundle". In Tiger, a user's home directory is encrypted to a flat file called a "sparseimage". If you are extremely interested in learning more about these files, start by reading the "man" page for "hdiutil". It actually gives a good, although short, description of what a sparsebundle is. Next, you need to visit the Apple Developer website where the technical discussion will jump up quickly.
Added to the Files section is an application to try a dictionary attack against a FileVault "sparebundle" or "sparseimage". The application, Spartan, will ask for a dictionary file and then ask for a Filevault image file. Have fun, and have patience! A dictionary attack on an encrypted file takes a very long time!
Read more about FileVault and Time Machine here.