Oct 14, '08 07:30:00AM • Contributed by: jzdziarski
I've written a brief titled FileVault Imaging: Apple's Dirty Little Secrets that explains exactly how you can mount a FileVault volume (with the key, of course) to obtain the raw disk image. I will also illustrate how deleted data can be preserved inside a FileVault, and how a free space wipe does nothing to purge deleted data from inside one. The protection offered by an encrypted volume seems to aggravate other security issues, possibly making deleted data less secure.
[robg adds: The referenced brief is not about breaking into FileVault volumes, but about how data is stored and managed within those volumes -- in particular, deleted data. The section on the free space wipe was the most interesting to me -- this feature basically doesn't work as intended if you're using FileVault. I haven't tried to confirm that finding for myself, but the provided example seems fairly clear-cut in its proof.]
