Will a strong firmware password protect my data from investigators installing/using forensic tools on my Mac?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Frimware PW & forensic tools
- Thread starter HiFiGuy528
- Start date
- Sort by reaction score
A firmware (EFI) password is easily circumvented. What investigators are you talking about? The only way someone can install anything on your Mac is if you give them possession of it or allow someone remote access.
Police or FBI. I thought you can't boot from anything other than internal HD if firmware PW is enable. If you have a strong login and fireware PW, there should be no way to load software or dig in virtral memory for PW to look in the drive, right?
I guess they can install the drive in another Mac, but FileVault should protect the files, right?
I guess they can install the drive in another Mac, but FileVault should protect the files, right?
Wrong. You can disable the firmware password by changing the amount of RAM installed.
You shouldn't have anything on your Mac that would cause problems with the Police or FBI. If you have anything that would, it's foolish to keep it on any computer.
Look mate, most people watch too much TV about this crap.
It's not like it is on Cold Case.
Just cause you broke a red light & got a speeding ticket, no FBI agent is going to spend hours cracking your drive. The people who actually do that get paid big £$'s, so unless you're seriously involved in crime then don't worry about it.
If you are involved in some kind of international drugs ring, then next time you post I'll be tracking your IP & will kick in the door while you're taking a dump.
It's not like it is on Cold Case.
Just cause you broke a red light & got a speeding ticket, no FBI agent is going to spend hours cracking your drive. The people who actually do that get paid big £$'s, so unless you're seriously involved in crime then don't worry about it.
If you are involved in some kind of international drugs ring, then next time you post I'll be tracking your IP & will kick in the door while you're taking a dump.
I don't have anything to hide, right now. But never say never. When I do, I like to make it as hard as possiable for the cops. Like you said, they make BiG $$$ so why not make them work for it. Don't let it be a walk in the park for them.
But never say never. When I do, I like to make it as hard as possiable for the cops. Like you said, they make BiG $$$ so why not make them work for it. Don't let it be a walk in the park for them. They'll just take your hard disk out and put it in an external enclosure.
I'm sure the investigators won't mind voiding your warranty, opening up the laptop, and snipping the chips off of the motherboard if they have to.RAM on the Air can not be changed.
I don't have anything to hide, right now.
Dude. That's so wrong in so many ways.
Extremely lame!I don't have anything to hide, right now.
I thought this was a serious thread.At the least, you would need Secure Virtual Memory enabled, but I don't think OS X has ever been tested or certified to actually work 100% in terms of preventing data leakage. Whereas, NT has had certification since release, although I think certain conditions have to be met. Like it can't be plugged in to a network.
Correct me if I am wrong but FileVault would in theory protect the contents of the users home directory only when the user has logged out. The main purpose I guess was to stop the casual laptop thief reading your personal data files off your hard drive.
When I mean protect, I mean against anyone who does not know how to break the Rijndael 128/256 bit AES encryption used in either 10.4 / 10.5 respectively.
However I am unsure if FileVault actually securely erases any unused space when the sparse bundle compacts i.e. when the user logs out. I would be interested if anyone can confirm this?
Clearly FileVault does not encrypt removable drives such as usb sticks or firewire drives. A Mac OS X encrypted disk image or TrueCrypt may offer a solution for this.
Secure virtual memory would need to be enabled, however anything stored in the /var directory is not encrypted. Guess where your log files and temporary files are stored !
The previous posters are correct that the firmware password is fairly easy to break.
Here in the UK, you can be thrown in jail if you refuse to hand over your passwords to the local authorities, So no freezer cans required !
I would be more worried about what information your ISP is recording about you (and for how long) about your travels to certain website sites or P2P shares which are associated to your IP address.
Sparkz
When I mean protect, I mean against anyone who does not know how to break the Rijndael 128/256 bit AES encryption used in either 10.4 / 10.5 respectively.
However I am unsure if FileVault actually securely erases any unused space when the sparse bundle compacts i.e. when the user logs out. I would be interested if anyone can confirm this?
Clearly FileVault does not encrypt removable drives such as usb sticks or firewire drives. A Mac OS X encrypted disk image or TrueCrypt may offer a solution for this.
Secure virtual memory would need to be enabled, however anything stored in the /var directory is not encrypted. Guess where your log files and temporary files are stored !
The previous posters are correct that the firmware password is fairly easy to break.
Here in the UK, you can be thrown in jail if you refuse to hand over your passwords to the local authorities, So no freezer cans required !
I would be more worried about what information your ISP is recording about you (and for how long) about your travels to certain website sites or P2P shares which are associated to your IP address.
Sparkz
Something tells me that if you are asking these types of questions on a public message board, you probably aren't going to be able to out-fox the FBI/CIA/NSA.
I don't think that a real super-secret "mega l33t haX0r" would ever trust a consumer-level drive encryption scheme, like the AES algorithm put in to Win NT and Mac OS. Obviously, if the government signed off on allowing the algorithm to declassified and encourages its integration into products, then a backdoor of some sort must exist.
I don't think that a real super-secret "mega l33t haX0r" would ever trust a consumer-level drive encryption scheme, like the AES algorithm put in to Win NT and Mac OS. Obviously, if the government signed off on allowing the algorithm to declassified and encourages its integration into products, then a backdoor of some sort must exist.
Not virtual memory, they look in the actual RAM. They can't do this is your computer has been powered off for a few minutes.
@ Riemann Zeta: There is no backdoor in AES. At this point in time, it is completely secure.
Well, there is no known backdoor in the AES algorithm itself, but it is a very sure bet that there are backdoors in the implementations of drive-level encryption like FileVault and Microsoft's solution for Vista.
AES is considered cryptographically secure. It's true that AES-128 isn't approved for TOP SECRET use, but AES-256 is -- and that makes me think that the DoD has at least some level of faith in it.
That said, it really comes down to the strength of the implementation. While I don't trust Microsoft based on their past history (NSA_KEY anyone?) I don't have any reason to distrust Apple's engineering teams. 'course I don't have any specific reason to trust them either -- but at least they haven't given me any reason to think that they are building in backdoors (at least not intentionally... the Master Password does kinda undermine the security of FileVault though...)
Actually, this came up on Fed-Talk a while back. It ended with the lead engineer for the FileVault team stating that there was no backdoor.
That said, protecting your data from a determined attacker is difficult. It's certainly do-able, but if you're asking for tips on how to do it here it's a sign that your Mac wouldn't stand a chance against a serious attacker.
Some basic tips:
1) Enable FileVault.
2) Enable encrypted swap.
3) Remove the FileVault Master Password.
4) Change your keychain config such that the login keychain is not always unlocked. Enable lock before sleep, and set the inactivity timeout to 1 minute.
5) Set a different password for each keychain. Don't re-use the login password for any keychain.
6) Physically disable FireWire to prevent DMA-based attacks.
7) Disable "safe sleep".
8) Zero out your free space regularly.
The above will stop a number of common attacks, but you'll still have to deal with information leaks on an app-by-app basis, as well as deal with a number of other blended threats.