Frimware PW & forensic tools

Discussion in 'macOS' started by HiFiGuy528, Feb 11, 2009.

  1. HiFiGuy528 macrumors 68000

    Jul 24, 2008
    Will a strong firmware password protect my data from investigators installing/using forensic tools on my Mac?
  2. GGJstudios macrumors Westmere


    May 16, 2008
    A firmware (EFI) password is easily circumvented. What investigators are you talking about? The only way someone can install anything on your Mac is if you give them possession of it or allow someone remote access.
  3. petemwah macrumors regular

    Feb 10, 2009
    not at all. what's to stop them just putting your hard disk into another computer?
  4. HiFiGuy528 thread starter macrumors 68000

    Jul 24, 2008
    Police or FBI. I thought you can't boot from anything other than internal HD if firmware PW is enable. If you have a strong login and fireware PW, there should be no way to load software or dig in virtral memory for PW to look in the drive, right?

    I guess they can install the drive in another Mac, but FileVault should protect the files, right?
  5. GGJstudios macrumors Westmere


    May 16, 2008
    Wrong. You can disable the firmware password by changing the amount of RAM installed.
    You shouldn't have anything on your Mac that would cause problems with the Police or FBI. If you have anything that would, it's foolish to keep it on any computer.
  6. HiFiGuy528 thread starter macrumors 68000

    Jul 24, 2008
  7. Hierotochan macrumors member

    Feb 25, 2008
    Look mate, most people watch too much TV about this crap.
    It's not like it is on Cold Case.
    Just cause you broke a red light & got a speeding ticket, no FBI agent is going to spend hours cracking your drive. The people who actually do that get paid big £$€'s, so unless you're seriously involved in crime then don't worry about it.

    If you are involved in some kind of international drugs ring, then next time you post I'll be tracking your IP & will kick in the door while you're taking a dump. :rolleyes:
  8. HiFiGuy528 thread starter macrumors 68000

    Jul 24, 2008
    I don't have anything to hide, right now. :) But never say never. :D When I do, I like to make it as hard as possiable for the cops. Like you said, they make BiG $$$ so why not make them work for it. Don't let it be a walk in the park for them. :D
  9. portent macrumors 6502a

    Feb 17, 2004
    They'll just take your hard disk out and put it in an external enclosure.

    I'm sure the investigators won't mind voiding your warranty, opening up the laptop, and snipping the chips off of the motherboard if they have to.
  10. Peace macrumors Core


    Apr 1, 2005
    Space--The ONLY Frontier
    Dude. That's so wrong in so many ways.
  11. GGJstudios macrumors Westmere


    May 16, 2008
    Extremely lame! :rolleyes: I thought this was a serious thread.
  12. Amdahl macrumors 65816

    Jul 28, 2004
    At the least, you would need Secure Virtual Memory enabled, but I don't think OS X has ever been tested or certified to actually work 100% in terms of preventing data leakage. Whereas, NT has had certification since release, although I think certain conditions have to be met. Like it can't be plugged in to a network. :)
  13. sparkz macrumors newbie

    Feb 11, 2009
    United Kingdom
    Correct me if I am wrong but FileVault would in theory protect the contents of the users home directory only when the user has logged out. The main purpose I guess was to stop the casual laptop thief reading your personal data files off your hard drive.

    When I mean protect, I mean against anyone who does not know how to break the Rijndael 128/256 bit AES encryption used in either 10.4 / 10.5 respectively.

    However I am unsure if FileVault actually securely erases any unused space when the sparse bundle compacts i.e. when the user logs out. I would be interested if anyone can confirm this?

    Clearly FileVault does not encrypt removable drives such as usb sticks or firewire drives. A Mac OS X encrypted disk image or TrueCrypt may offer a solution for this.

    Secure virtual memory would need to be enabled, however anything stored in the /var directory is not encrypted. Guess where your log files and temporary files are stored !

    The previous posters are correct that the firmware password is fairly easy to break.

    Here in the UK, you can be thrown in jail if you refuse to hand over your passwords to the local authorities, So no freezer cans required !

    I would be more worried about what information your ISP is recording about you (and for how long) about your travels to certain website sites or P2P shares which are associated to your IP address.

  14. HiFiGuy528 thread starter macrumors 68000

    Jul 24, 2008
    I heard that a Mac forensic agent would first look in virtual memory for FileVault PW.
  15. Riemann Zeta macrumors 6502a

    Feb 12, 2008
    Something tells me that if you are asking these types of questions on a public message board, you probably aren't going to be able to out-fox the FBI/CIA/NSA.

    I don't think that a real super-secret "mega l33t haX0r" would ever trust a consumer-level drive encryption scheme, like the AES algorithm put in to Win NT and Mac OS. Obviously, if the government signed off on allowing the algorithm to declassified and encourages its integration into products, then a backdoor of some sort must exist.
  16. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Aug 9, 2007
    Not virtual memory, they look in the actual RAM. They can't do this is your computer has been powered off for a few minutes.

    @ Riemann Zeta: There is no backdoor in AES. At this point in time, it is completely secure.
  17. Riemann Zeta macrumors 6502a

    Feb 12, 2008
    Well, there is no known backdoor in the AES algorithm itself, but it is a very sure bet that there are backdoors in the implementations of drive-level encryption like FileVault and Microsoft's solution for Vista.
  18. ppc750fx macrumors 65816

    Aug 20, 2008
    AES is considered cryptographically secure. It's true that AES-128 isn't approved for TOP SECRET use, but AES-256 is -- and that makes me think that the DoD has at least some level of faith in it.

    That said, it really comes down to the strength of the implementation. While I don't trust Microsoft based on their past history (NSA_KEY anyone?) I don't have any reason to distrust Apple's engineering teams. 'course I don't have any specific reason to trust them either -- but at least they haven't given me any reason to think that they are building in backdoors (at least not intentionally... the Master Password does kinda undermine the security of FileVault though...)

    Actually, this came up on Fed-Talk a while back. It ended with the lead engineer for the FileVault team stating that there was no backdoor.

    That said, protecting your data from a determined attacker is difficult. It's certainly do-able, but if you're asking for tips on how to do it here it's a sign that your Mac wouldn't stand a chance against a serious attacker.

    Some basic tips:

    1) Enable FileVault.

    2) Enable encrypted swap.

    3) Remove the FileVault Master Password.

    4) Change your keychain config such that the login keychain is not always unlocked. Enable lock before sleep, and set the inactivity timeout to 1 minute.

    5) Set a different password for each keychain. Don't re-use the login password for any keychain.

    6) Physically disable FireWire to prevent DMA-based attacks.

    7) Disable "safe sleep".

    8) Zero out your free space regularly.

    The above will stop a number of common attacks, but you'll still have to deal with information leaks on an app-by-app basis, as well as deal with a number of other blended threats.

Share This Page