256 AES encrypted Disk image hackable

Discussion in 'OS X Yosemite (10.10)' started by macmacmacr, Oct 22, 2016.

  1. macmacmacr macrumors member

    Joined:
    Dec 23, 2014
    #1
    I use Yosemite diskimage encryption on a USB for a few files and the files were 256 aes disk encrypted using disk image encryption "How to create a password-protected (encrypted) disk image - Apple Support" The image was unencrypted and placed in my garbadge. I had created the encryption disk image on my USB drive and it was some how decrypted.



    The symptoms were my Yosemite Mac flashed a message that I am low on Disk space which is not correct then I noticed the trash can went from empty to filled. When I check the files I noticed they came from my USB and were unencrypted. The USB was connected.
     
  2. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #2
    I might not quite understand you but you are saying there were a few files encrypted. Then they were unencrypted, and put in the trash bin. Then .. somehow some files are back on the usb again and you encrypt those. but they show decrypted, but there was a msg that there was not enough space ..

    I think the answer is in the problem perhaps?

    Encrypt the files on the desktop. Then move them to the usb stick?
    Don't encrypt files that are in the trash bin, that's just meta-storage basically. Use the real file system.
     
  3. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #3
    If I'm understanding what you're saying -- you found decrypted files in the trash that had been encrypted on an USB device. If that's the case, consider the timeline and this possibility.

    With the USB device connected and before you had encrypted the contents, had you trashed any of its contents and then not emptied the trash? If that's the case, then that's what you're probably seeing, not your current files decrypted and trashed.
     
  4. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #4
    The files were encrypted on my USB drive. On my local machine running Yosemite the encrypted files appeared in the trash can. I did not unencrypt the files so this suggest that Apples disk image is not secure.
     
  5. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #5
    It may suggest that, but that is not what is happening underneath. When you move a file on a USB disk to Trash, Finder moves to file to a hidden directory in the root path of the disk. Finder’s Trash window uses window dressing to show you the contents of this and all other hidden Trash directories that it has access to, giving you the impression that the files have been moved to a single location on your main disk.

    You can easily verify this by right-clicking on the file in Trash, then clicking on ‘Get Info’. It will show you the true path of the file, ending with ‘.Trashes’ (with full stop). The files have never left the USB disk, they were just hidden in the .Trashes directory and Finder showed you this.
     
  6. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #6
    Kallt the files were encrypted I had not unencrypted the files at all the file was in the form "name.dmg" and was still enrypted on my USB drive. If a mistake was made the files should of appeared in my trash encrypted not unencrypted. Also the files in the trash (unencrytpted files) I reccognize and would not of placed them in the traash.

    The files were encrypted using 256 bit aes and the password was not saved in my keychain. On opening the named.dmg file the password had to be entered
     
  7. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #7
    If I understood you correctly, you have files on an encrypted disk image, on a USB drive? If so, the contents are indeed encrypted on-disk. However, as you mount the drive, the contents are decrypted on the fly for you to use. Any program that you are using, such as Finder, can interact with the files normally as long as the disk image is mounted and unlocked. If you were to delete a file from it, Finder would move it to the unencrypted part of your USB disk, in a hidden .Trashes directory, thereby decrypting it for good. That is absolutely normal behaviour.
     
  8. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #8
    That is absolutely incorrect Kallt. A disk image encryption requires a password to be decrypted. My password is not saved in the keychain therefore a password must be entered to open the file. If what you suggests were the case it makes disk image encryption useless I can take any persons DIsk encrypted image "file.dmg" and then look into the garbage container for the unencrypted values.

    Apple Disk image encryption has a security problem that allows the disk to some how becoome unencrypted. See Mac OS x daily for how it functions. http://osxdaily.com/2012/08/12/encrypt-folders-mac-os-x/
     
  9. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #9
    You are right, I indeed worded that wrong. I should have said ‘move a file out of it’. Let me put it differently: you have a USB drive and on it is an encrypted DMG file. When you insert the USB drive, the system mounts the file system at /Volumes/USBDrive. Then, when you attach the DMG file, it mounts it at /Volumes/DMGFile. When you attach an encrypted disk image, it will be decrypted and then mounted like any other file system. That means it will have a hidden .Trashes directory.

    When you move the file /Volumes/DMGFile/my_secret_file.txt to Trash, what happens is that Finder moves the file to /Volumes/DMGFile/.Trashes/my_secret_file.txt, where it will be hidden from view, but still on the same disk. When you look at the Trash window in Finder, you can still see the file until you empty Trash. This gives you the impression that the file is no longer on the disk image, but that is simply not true. Finder will now show you all the files in these locations:
    /.Trashes
    /Users/username/.Trash
    /Volumes/USBDrive/.Trashes
    /Volumes/DMGFile/.Trashes

    The file itself has never left the encrypted disk image. If you eject the disk image with the file still in Trash, then it will also disappear.

    It is normal behaviour that an encrypted disk image becomes completely readable to the system once attached, as if it were not encrypted at all. As such, any program can read and copy the contents elsewhere. This is unavoidable.
     

Share This Page