±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 74

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

External APFS volume encryption security "gap"

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

jaclaz
Senior Member
 

External APFS volume encryption security "gap"

Post Posted: Mar 22, 18 14:21

Interesting findings (Mac OS up to 10.13):
www.mac4n6.com/blog/20...utilityapp



jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

JaredDM
Senior Member
 

Re: External APFS volume encryption security "gap"

Post Posted: Mar 22, 18 19:07

Here's an even easier way to find that password:

www.youtube.com/watch?v=FALiAAWfGVQ

They are definitely making some mistakes in their security implementation. Laughing Laughing

Obviously they quickly fixed the password hint showing the actual password in the next update, but that proved to me it was being stored somewhere in plain text.
_________________
Lead Data Recovery Tech at Data Medics® - www.data-medics.com 
 
  

jaclaz
Senior Member
 

Re: External APFS volume encryption security "gap"

Post Posted: Mar 31, 18 18:36

Another one was found (in a worse, in the sense of much more persistent, log):


This is actually a worse problem than the one I previously reported on.

The previous examples were found in the unified logs which can hang around for a few weeks, this new example stores the exact same information in the system's /var/log/install.log. I have found that the install.log will only get wiped out upon major re-installation (ie: 10.11 -> 10.12 -> 10.13), therefore these plaintext passwords will hang around for quite a bit longer than a few weeks! I had entries dating back to when I originally installed High Sierra on this system back in November of 2017!


www.mac4n6.com/blog/20...s-log-file


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1