Apple FileVault Encryption: Issues and Solutions

Apple FileVault Encryption: Issues and Solutions

by Roman Morozov, Head of Technical Support Department and NAND Data Recovery Instructor, ACE Lab

FileVault is a high-end disk encryption program used in Mac OS X 10.3 and later. Most of Apple’s products that came out after 2003 use FileVault to provide users with a reliable tool to decrypt home folders and personal data. And FileVault does the job well by preventing unauthorized access to encrypted hard drives content. The law enforcement officer without the right tools and special knowledge will most likely not be able to access the data on a said criminal’s Apple computer should the need ever arise.

Cases, when the encrypted hard drive is damaged to boot may present a serious challenge even to a skilled professional. In this article, we will describe an algorithm of bypassing FileVault protection and give some tips on recovering data from damaged encrypted Apple hard drives.

Below is a schematic diagram of the FileVault encryption method:

  1. MBR (0 sector), containing partition table, is read.
  2. Optional! High-capacity drives may have an additional GUID partition table (GPT) that is located right after MBR.
  3. Either MBR or GPT give the location of 3 partitions:
  • EFI system partition: contains Mac OS service info;
  • Core Storage (CS): this partition contains encrypted data;
  • Recovery HD: partition with service info required to decrypt user’s data.
  1. Volume Header of Recovery HD is read first. Then the Catalog file of this partition gets loaded up and a catalogue tree becomes available.
  2. This partition has EncryptedRoot.plist.wipekey – a file that contains encrypted Volume master key (VMK). A special password is required to access this VMK.
  3. Core storage partition (Volume Header, Metadata blocks and Volume groups descriptor) gets decrypted.
  4. With metadata we get access to encrypted data.

This diagram only scratches the surface of the whole process of decrypting data protected by FileVault. Any additional complication on any step of this procedure might make it even more challenging.

Let us inspect few such cases.

  1. The most common issue of all storage devices is bad sectors. Usually, the sectors located at the beginning of a disk get most of the writing and rewriting, thus they are more prone to becoming bad. This particular issue might not seem very complex, but the standard set of tools provided by Apple will not be able to handle it.

The solution is reading out of sectors and their further analysis. Special hardware-software tools are required to prevent any serious damage to the hard drive during that process.

  1. Another issue is damaged Recovery HD partition, which holds encryption keys.

Here the best solution would require making a copy of the drive and working with that copy. First thing, the EncryptedRoot.plist.wipekey would need to be located.

  1. Another case would see damaged parts at both the beginning and the end of the drive. Standard tools are useless in such a case.

The solution would require creating a copy of the drive with a special set of reading parameters, then scanning the copy for file structures. A deep analysis of found structures would need to be done by building virtual file systems. No modification of the original data should ever be done. Worst cases might require a GREP search of file structures. In order to succeed in such a case, an engineer would not only need a good understanding of file systems and structures but also a very good luck.

  1. Some issues with the file system on the decrypted Core Storage partition may appear.

Different methods of a file system analysis, that include research of the used and unused sectors based on Bitmap – these things will help with restoring data and getting a complete report.

In summary, we keep saying that every digital forensic expert should keep up with the times because technology is constantly evolving. Using an appropriate equipment, a learned specialist will be able to solve even such serious challenge as damaged drives encrypted by FileVault.

ACE Lab is internationally recognized as an innovator in the development of the most cutting-edge solutions for recovering data and evidence from such storage devices as HDD, SSD, Flash drives, RAID and others. PC-3000 solves the most complex issues with damaged and password-protected drives, as well as virtual drives (flat, vmdk, vhd, vhdx, dmg) and encrypted partitions (FileVault, BitLocker, TrueCrypt). ACE Lab has set the benchmark for professional data recovery and remains the proven leader in the field for 27 years since its foundation in 1992. Data recovery engineers and digital forensics experts from over 117 countries award their trust to the PC-3000 solutions as the most comprehensive and reliable professional data recovery tools.

Digital Forensic Community