%0 Conference Proceedings
%T Security Analysis and Decryption of Filevault 2
%+ University of Cambridge [UK] (CAM)
%+ Google Switzerland
%A Choudary, Omar
%A Grobert, Felix
%A Metz, Joachim
%Z Part 7: FORENSIC TOOLS
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 9th International Conference on Digital Forensics (DF)
%C Orlando, FL, United States
%Y Gilbert Peterson
%Y Sujeet Shenoi
%I Springer
%3 Advances in Digital Forensics IX
%V AICT-410
%P 349-363
%8 2013-01-28
%D 2013
%R 10.1007/978-3-642-41148-9_23
%K Volume encryption
%K full disk encryption
%K FileVault 2
%Z Computer Science [cs]Conference papers
%X This paper describes the first security evaluation of FileVault 2, a volume encryption mechanism that was introduced in Mac OS X 10.7 (Lion). The evaluation results include the identification of the algorithms and data structures needed to successfully read an encrypted volume. Based on the analysis, an open-source tool named libfvde was developed to decrypt and mount volumes encrypted with FileVault 2. The tool can be used to perform forensic investigations on FileVault 2 encrypted volumes. Additionally, the evaluation discovered that part of the user data was left unencrypted; this was subsequently fixed in the CVE-2011-3212 operating system update.
%G English
%Z TC 11
%Z WG 11.9
%2 https://inria.hal.science/hal-01460615/document
%2 https://inria.hal.science/hal-01460615/file/978-3-642-41148-9_23_Chapter.pdf
%L hal-01460615
%U https://inria.hal.science/hal-01460615
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-WG
%~ IFIP-TC11
%~ IFIP-DF
%~ IFIP-WG11-9
%~ IFIP-AICT-410