SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Mac OS X FileVault Security Advisory

Advisory Title: FileVault Leaves Unencrypted Home Data Behind
Release Date: 2003 November 6
Fix Date: Mac OS X 10.4 (May 2005)
Affected Product: Mac OS X 10.3 Build 7B85
Impact: Unencrypted Data Left Behind
Where: Local System
Author: CodeSamurai (codesamurai@mac.com)

FileVault Secure Deletion ScreenshotUpdate (Mac OS X 10.4): With the release of Mac OS X 10.4 (Tiger), Apple has included a fix for this in the FileVault enabling process. When the user goes to enable FileVault on their user account in System Preferences, one of the sheets will now have a "Use secure erase" checkbox. Have this checkbox checked in order to avoid the issue described in this advisory. Note: that this issue is not resolved in 10.3.

Overview
It is possible to recover the remnant data of a home folder which to which FileVault has been enabled. In other words, FileVault doesn't clean up after itself (securely).

Details
Most would assume, that by enabling FileVault on their home folder, that it "protects all the info in your home folder from prying eyes"[1] as stated on Apple's web site. And granted, this is true of the data which is in FileVault; however, the security in regards to the process of enabling FileVault on an existing home folder leaves a little to be desired, as the data before FileVault is enabled is insecurity left behind in the hard drive's free space.

FileVault itself is an AES-128 encrypted disk image, and when it's enabled on a home folder, that home folder's contents are copied to the disk image and securely stored there; but when the original home folder is erased, it is done so without doing a secure erasure. This means that file recovery programs will be able to recover some, if not most, of that user's home directory data in the condition it was before the transfer to FileVault. So, the data is left behind, unencrypted, with the user under the impression that that data is now only located in secure containment of FileVault.


Recovering Data with UnErase


Recommendations
To resolve this, one could use a program to securely wipe the free space of their hard disk; or, if they're doing a fresh install of Panther, to copy their backups back over to their hard drive after FileVault has been enabled. (The latter of which is stated under the assumption that the user is installing Panther on a new hard drive or that the drive has already been written over with zeros via Apple's Disk Utility or securely erased otherwise; because, for obvious reasons, the data of the previous installation will be still left behind in the hard drive's free space anyway.)

Resources
[1] http://www.apple.com/macosx/features/filevault/
http://www.apple.com/macosx/features/security/

Interact:
Could not connect