Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
Time Machine
and FileVault
Now that we know how Time Machine and FileVault work, we need to explore how they work together when both technologies are enabled on a user's Mac. Time Machine is enabled for the entire Macintosh, but FileVault is enabled per user account. For our scenario, here are the User account we will talk about:
System Preferences - Accounts Window
User account "aloof" is our user that is smart enough to turn on FileVault. User account "goof" is our poor fool that left FileVault off. User account "moof" is the one I'm typing all of this from and will not participate in this exercise!
When user "aloof" turned on FileVault for his account, this warning message was presented:
FileVault Warning
What does this mean? It means Time Machine works quite differently for a FileVaulted account. First, Time Machine does not back up user's Home directory files while a user is logged in! A user MUST log out first. Second, a user does not restore a single file from Time Machine, rather a user restores an entire instance of their Home directory! What do I mean by that? If user "aloof" needs to bring back a file he deleted yesterday, he is going to bring back EVERYTHING (the entire sparsebundle) from yesterday.
Here is what Time Machine looks like on the external USB drive for "goof" and "aloof".
Time Machine backups with and without FileVault applied
Now that we know how Time Machine and FileVault work, we need to explore how they work together when both technologies are enabled on a user's Mac. Time Machine is enabled for the entire Macintosh, but FileVault is enabled per user account. For our scenario, here are the User account we will talk about:
System Preferences - Accounts Window
User account "aloof" is our user that is smart enough to turn on FileVault. User account "goof" is our poor fool that left FileVault off. User account "moof" is the one I'm typing all of this from and will not participate in this exercise!
When user "aloof" turned on FileVault for his account, this warning message was presented:
FileVault Warning
What does this mean? It means Time Machine works quite differently for a FileVaulted account. First, Time Machine does not back up user's Home directory files while a user is logged in! A user MUST log out first. Second, a user does not restore a single file from Time Machine, rather a user restores an entire instance of their Home directory! What do I mean by that? If user "aloof" needs to bring back a file he deleted yesterday, he is going to bring back EVERYTHING (the entire sparsebundle) from yesterday.
Here is what Time Machine looks like on the external USB drive for "goof" and "aloof".
Time Machine backups with and without FileVault applied