Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How can a hard-drive be accessed?

Ambrosia7177

Ambrosia7177

macrumors 68020
Original poster
Feb 6, 2016
2,078
396
I am trying to better understand how FileVault2 protects my data by first understanding how my computer is at risk if I do not encrypt it.

Obviously if someone guessed my password, then I would be screwed. But if I have a strong password, why isn't that enough?

What are the different ways that someone could access data on my computer if it was not encrypted, and they were unable to guess my password?

Thanks.
 
Physical access is the obvious one -- walking away with the disk drive / SSD, or having physical access at a time when you're logged in already. Or, as mentioned, Target Disk Mode. Beyond that, it's mostly about various exploits, published or unpublished. The scary ones are remote root exploits, which are relatively rare but would allow someone to remotely gain access. Firewalls and proper control of remote access can help some.

Firevault 2 is a kind of full disk encryption, I gather (I don't use it myself). FDE is mostly about preventing someone who physically walks off with the machine or storage unit from getting at the data. If you've unlocked a volume already, any remote exploit would then still be able to read the data ... it would be roughly like someone sitting at the computer after it's already been logged in and the Filevault password given.
 
  • Like
Reactions: NoBoMac
^^^Those.

And not even exploits: OS X comes out-of-the-box with access modes.

Have not tried, and not sure if still works with High Sierra, but, can boot into recovery and run the "resetpassword" command from the Terminal.

Or: can remove the "lock file" that says the system has been setup. When the system re-boots, will go through the initial setup process, and allows you to create a new administrator account.
 
Mr_Brightside_@ said:
Target Disk Mode.
Click to expand...

Does Target Mode still work on newer Macs running Sierra and High Sierra?
[doublepost=1512853479][/doublepost]
kschendel said:
Physical access is the obvious one -- walking away with the disk drive / SSD
Click to expand...

If I had a secure password on my Mac, but FileVault2 was not turned on, then what could you do if you walked off with my hard-drive? Wouldn't you still need my password?


kschendel said:
Beyond that, it's mostly about various exploits, published or unpublished. The scary ones are remote root exploits, which are relatively rare but would allow someone to remotely gain access. Firewalls and proper control of remote access can help some.
Click to expand...

But all of those require you to be booted up right? If someone stole my computer of HDD, then would need to do a remote boot access.
 
Texas_Toast said:
If I had a secure password on my Mac, but FileVault2 was not turned on, then what could you do if you walked off with my hard-drive? Wouldn't you still need my password?
Click to expand...

Nope. Password without FileVault only prevents one from logging into a machine. For example, can pull the disk drive out of the machine and mount it like an external drive. If thief creates a new admin account or resets existing, now has full access to the data on the machine.

Password with no encryption will just stop amateurs.
 
  • Like
Reactions: Mr_Brightside_@
NoBoMac said:
Nope. Password without FileVault only prevents one from logging into a machine. For example, can pull the disk drive out of the machine and mount it like an external drive. If thief creates a new admin account or resets existing, now has full access to the data on the machine.

Password with no encryption will just stop amateurs.
Click to expand...

When I have an account password on my Mac, where does it reside? Is it on my HDD at the OS level, or does it reside in the EFI firmware?

Either way, you are saying that if you removed my HDD you could put it into an external enclosure and instantly be able to see all of my data? My Mac's password only works if my HDD is in my own computer?


Also, can you explain what you mean by "If thief creates a new admin account or resets existing, now has full access..."
 
The admin account on your Mac can gain access to any files on any drive, including an admin account that might be created by a thief (with a bit of knowledge about macOS, and the macOS terminal/command line) --- all files are accessible to the admin user, unless a drive is locked/encrypted, and the thief does not know the password to unlock. That's where an encrypted drive will protect you...
A normal admin user account can't protect you if the thief has physical access to your system, and the internal drive.

Your question about a password that only works on your computer, but not the drive itself, would be the EFI/firmware password. That would exist in EFI firmware, and is the OTHER form of protection. Again, the firmware password does not protect your files if the thief has physical access, and knows how to remove the drive from your Mac. An encrypted drive would maintain protection, even if removed from the original Mac.
 
DeltaMac said:
The admin account on your Mac can gain access to any files on any drive, including an admin account that might be created by a thief (with a bit of knowledge about macOS, and the macOS terminal/command line) --- all files are accessible to the admin user, unless a drive is locked/encrypted,
Click to expand...

ON my Macs, I create an Admin account and then a Standard account. In the past when I logged in as Admin, and tried to access data on my HDD created from my day-to-day Standard account, I couldn't do that. (I assumed as Admin I would be able to see everything as you mention. Why was that not the case?)
 
I did not say that an admin account can see everything on your computer.
I said that an admin user can gain access to any file on the drive.
THAT means that an admin can become a superuser (root level access) on a temporary basis. Just takes a simple terminal command.
Or, the admin user can enable the root user. Logging in to the root user account then allows you to do anything on a Mac, even allowing you to delete files while they are used to support system operation (potentially crashing the system)
Your admin account can't do some of that directly, but the root user has full access.

There are sites that can provide you with some knowledge about user permissions, file access, and particularly using the terminal to do a lot of things that you might not realize are possible (and fairly simple just by typing in a command or two)
 
  • Like
Reactions: JoeInMilwaukee
The user password only protects others from accessing your data. This means that it only protects your home folder by forbidding other users to access it who don't have to rights to do so. But besides from forbidding your data is not encrypted in any way.

File Vault 2 encrypts the whole drive. Without the encryption key nobody can even read the files.

So the difference between the two is that the user password does not give access to others while encryption makes the files unreadable for everyone. But why should you encrypt?

Let's create a little scenario: I find your MacBook. I plug in a flash drive with Linux into your computer and boot my Linux system. I'm the only user on my Linux system and I am root (admin rights). I can just access your drive like an external drive and can access all your data. That's because user rights only apply to macOS and not to my Linux system. This means everyone can access your data with little effort. But in case you encrypted your drive I will be asked for the encryption password. Without it, I can't access anything.

All in all I can only recommend you to encrypt your drive. It's the best way to make sure your data is safe.
 
  • Like
Reactions: Ambrosia7177
blaichch said:
Let's create a little scenario: I find your MacBook. I plug in a flash drive with Linux into your computer and boot my Linux system. I'm the only user on my Linux system and I am root (admin rights). I can just access your drive like an external drive and can access all your data. That's because user rights only apply to macOS and not to my Linux system. This means everyone can access your data with little effort. But in case you encrypted your drive I will be asked for the encryption password. Without it, I can't access anything.
Click to expand...

The sentence I bolded above is what I wasn't understanding!

It didn't make sense how a password could protect my OS and files while the drive was in my computer, but when you are in Target Mode or take out the drive, why you suddenly got access.

Thanks for the explanation above!

That seems like a dumb design that they can't make your system password protect files regardless of where the HDD is located.

blaichch said:
All in all I can only recommend you to encrypt your drive. It's the best way to make sure your data is safe.
Click to expand...

No worries there. I have been using FileVault for years. The purpose of this thread is just to understand better why a system password is not enough.

I had a friend ask me why a strong password wasn't good enough, and I thougt about it for a moment and realized that I didn't know the answer!

So to summarize the discussion so far, some of the ways that people could get around your system password include...

1.) Booting into Recovery Mode and resetting the password
2.) Accessing files on your HDD via "Target Mode"
3.) Removing your HDD, and plugging it into another computer and simply accessing files like they were on an unprotected external drive
4.) Booting from a USB drive using another OS like Linux, and then accessing files on your internal HDD


Can anyone think of other ways a person could get around your system password if you don't have FileVault2 turned on?
 
https://support.apple.com/en-ca/HT201462

All Macs support TDM, and were they not to, their drives could still be pulled and accessed with the FV encryption. In the case of current gen touch bar Pros, their drives are soldered, but they still support TDM.
[doublepost=1512860363][/doublepost]
Texas_Toast said:
Can anyone think of other ways a person could get around your system password if you don't have FileVault2 turned on?
Click to expand...
By using resetpassword
[doublepost=1512860489][/doublepost]Here's a real life scenario from today:
I had a MBP from a client that she wanted backed up, wiped, then restored.
I like Carbon Copy Cloner for making backups; it requires an admin password for the computer it runs on. I did not have her password. I plugged in her Mac to mine via TDM, open my CCC, selected her drive as the source, set a destination, and boom, copied. In this scenario the victim wouldn't even know the access had occurred.
 
  • Like
Reactions: Ambrosia7177
Let's make another example:

You have three user accounts on your Mac. All three users use the same system files but everyone has it's own home folder. So macOS gives every user its own individual home folder which is stored in /Users.

And now comes the part where user rights management comes in. Every user can only access its own home folder (User1 can access /Users/User1 but can't access /Users/User2 or /User/User3). That's because it does not have read and write access on these folders. Let's take a look at the root user. The root user is the user who has every right. That's why root can access all of these folders. But this user rights management is only there to manage the rights across the system itself. It's not suppose to keep users from other systems out. it only manages the users within the system and not on the drive itself.

When booting a Linux system it has it's own user rights management. It recognises the drive but doesn't care about the macOS user rights management. That's because user management is only a system thing. It says like User1 is only allowed to access /Users/User1. So it denies access to other user folders. But when accessing the drive directly without the system we can just access them because the files are stored on the drive without encryption. It's kinda hard to explain but hope I made it more clear.

Well, I think it's not a dumb design. It's just local user management and not designed to protect the files from external access. That's why there's disk encryption :)


1.) Booting into Recovery Mode and resetting the password

Yes, because the Recovery Mode has root and and stands above all other users. It can change anything besides suff that's protected by SIP (System Integrity Protection) but that's another topic. But Resetting the password should not work with drive encryption because root can't even read the drive.


2.) Accessing files on your HDD via "Target Mode"

As far as I know you need to enable that first in System Settings/Startup Disk/Target Disk Mode.


3.) Removing your HDD, and plugging it into another computer and simply accessing files like they were on an unprotected external drive

Yes, but the other computer needs to be able to read the file system.


4.) Booting from a USB drive using another OS like Linux, and then accessing files on your internal HDD
Yes, but could be problematic with the introduction of APFS. I'm not sure if there's already an open source implementation for linux yet.



When File Vault 2 is on, there's no way to access your data without password. And if you loose your password you won't be able to access it as well. There are options like being able to restore it with your Apple-ID but I prefer the local Recovery-Key stored in a safe
 
  • Like
Reactions: JoeInMilwaukee and Ambrosia7177
Texas_Toast said:
That seems like a dumb design that they can't make your system password protect files regardless of where the HDD is located.
Click to expand...

Not any different than Windows: have pulled HDD from families' dead Windows machines, cabled to my Mac, and have pulled user data off before doing a secure erase. Everything on the drive was open to me.

Need to think of the drive in the same way a USB flash drive works, in that you can write to the drive on one machine, and some other machine can read from the same drive.
 
  • Like
Reactions: Ambrosia7177
Mr_Brightside_@ said:
https://support.apple.com/en-ca/HT201462
https://support.apple.com/en-ca/HT201462

All Macs support TDM, and were they not to, their drives could still be pulled and accessed with the FV encryption. In the case of current gen touch bar Pros, their drives are soldered, but they still support TDM.
Click to expand...

I had never even heard of Target Disk Mode until today. (Kind of embarassing since I have been using Macs for a decade now!)


Mr_Brightside_@ said:
https://support.apple.com/en-ca/HT201462
Here's a real life scenario from today:
I had a MBP from a client that she wanted backed up, wiped, then restored.
I like Carbon Copy Cloner for making backups; it requires an admin password for the computer it runs on. I did not have her password. I plugged in her Mac to mine via TDM, open my CCC, selected her drive as the source, set a destination, and boom, copied. In this scenario the victim wouldn't even know the access had occurred.
Click to expand...

Wow! You never cease to amaze me, @Mr_Brightside_@ That is really scary, because it means that if you left your computer unattended for a period of time, someone could walk up and clone your entire HDD without you knowing it, right?

(BTW, with SSDs, how quick could you clone a drive like you did had you never run CCC before, so it had to do the entire drive?)

Is there any way to disable Target Disk Mode? Can you disable it by setting an EFI password? Any other ways?
[doublepost=1512864767][/doublepost]
blaichch said:
But this user rights management is only there to manage the rights across the system itself. It's not suppose to keep users from other systems out. it only manages the users within the system and not on the drive itself.

When booting a Linux system it has it's own user rights management. It recognises the drive but doesn't care about the macOS user rights management. That's because user management is only a system thing. It says like User1 is only allowed to access /Users/User1. So it denies access to other user folders. But when accessing the drive directly without the system we can just access them because the files are stored on the drive without encryption. It's kinda hard to explain but hope I made it more clear.
Click to expand...

Yes, that does make sense!


blaichch said:
2.) Accessing files on your HDD via "Target Mode"

As far as I know you need to enable that first in System Settings/Startup Disk/Target Disk Mode.
Click to expand...

I believe you just boot holding down "T" and you are in Target Disk Mode. Above I asked if there is a way to disable that feature so people cannot steal your data like @Mr_Brightside_@ described.


blaichch said:
3.) Removing your HDD, and plugging it into another computer and simply accessing files like they were on an unprotected external drive

Yes, but the other computer needs to be able to read the file system.
Click to expand...

Other than macOS, what other OS's could a person use to access my HDD's data if it wasn't encrypted? It sounds like Linux is one.


blaichch said:
4.) Booting from a USB drive using another OS like Linux, and then accessing files on your internal HDD
Yes, but could be problematic with the introduction of APFS. I'm not sure if there's already an open source implementation for linux yet.
Click to expand...

What is APFS?
 
Some more questions...

1.) If FileVault 2 is not enabled, and someone boots into Linux, in addition to being able to view all of your files, can they also reset all user passwords?

2.) If someone removed your HDD and hooked it up to another machine running Linux, could they reset your user passwords?

3.) If you are using Mac-2, and you access Mac-1 via Target Disk Mode, then do the user accounts and passwords on the original computer (Mac-1) prevent Mac-2 from seeing all of the files. Or by virtue of accessing Mac-1 via Target Disk Mode, can Mac-2 see all files? (Assuming Mac-1 does not us an EFI password of FileVault 2.)
 
Last edited by a moderator:
1 and 2: yes, because the passwords are in a file like everything else, and the file can be altered or reset.

#3 is yes, but. Yes, normally, OS/X permission checking would apply to the mounted disk. The "but" is that presumably you have control of Mac-2, and therefore you can tell OS/X to bypass the permission checks via "su" at the command line, or by enabling a root user (two different ways to achieve the same thing).

All unix-like operating systems (and OS/X is one) have a superuser capability of some sort that skips file permission checking. The capability is locked down to various degrees, but it's there, and you can't really do without it unless you change lots of architectural things. (For instance, you'd probably need to move filesystem verification into the kernel, instead of running it as a user mode program.)
 
  • Like
Reactions: Ambrosia7177
kschendel said:
1 and 2: yes, because the passwords are in a file like everything else, and the file can be altered or reset.
Click to expand...

Wouldn't the user passwords be hashed or something? If so, then how could you modify them? Or would a hacker instead just delete the passwords and leave them blank, maybe?


kschendel said:
#3 is yes, but. Yes, normally, OS/X permission checking would apply to the mounted disk. The "but" is that presumably you have control of Mac-2, and therefore you can tell OS/X to bypass the permission checks via "su" at the command line, or by enabling a root user (two different ways to achieve the same thing).

All unix-like operating systems (and OS/X is one) have a superuser capability of some sort that skips file permission checking. The capability is locked down to various degrees, but it's there, and you can't really do without it unless you change lots of architectural things. (For instance, you'd probably need to move filesystem verification into the kernel, instead of running it as a user mode program.)
Click to expand...

I need to take time to learn some command-line Unix, especially if I want to learn more about security!
 
Yes, the passwords are hashed so you can't recover them, and yes, the trick is to blank them out. Or, as superuser, you can force a password change using the passwd command without knowing the old password.
 
  • Like
Reactions: Ambrosia7177
If I use FileVault 2 to encrypt my entire hard-drive, and an intruder removed my hard-drive and then hooked it up as an external drive on, say a machine running Linux, if the criminal knew my password, would he be able to unlock my hard-drive?

Put another way, besides a valid password, what do you need to unlock an encrypted FileVault 2 drive?

Must you be booted up in macOS on the original computer where the drive was located?

Could you boot up into macOS on another machine while using the stolen drive as the bootable drive and unlock it?

Could you be running Linux or Windows on another machine, and unlock the stolen drive if it was hooked up as an external drive?

I'm not sure where FileVault 2 resides, and how you get it to work. Is it in macOS? On the encrypted drive? In the EFI of the original computer that had its drive stolen? Or if you have a valid password, can you unlock it in any of the scenarios above?

I'm having fun with this topic!
 
I don't know specifically how FileVault 2 works, but I can talk to the general case of full-disk encryption. If you have an arbitrary disk drive (encrypted or not), and you hook it to your computer, there are a few things you have to be able to do before you can read it:

1. you have to be able to understand the partition map (or boot block or whatever you want to call it), which self-described the drive layout.
2. If some or all of the drive is encrypted, you need the key (which might be the same as the login password, or derived from it, or might be something entirely separate), and the decryption algorithm
3. you have to be able to understand the filesystem layout and internal structures, so as to translate raw disk blocks into directories, files, and the like.

(I guess #0 is you have the right hardware interface for the drive but we'll assume that bit.)

#1 is not generally an issue because most drives will be GPT or MBR partitioned, both of which are well known.

#2 is probably the big question in terms of mounting a FV2 volume on Linux. I don't know if the FV2 format and encryption is public, I don't know if there is any linux support for it, and in any case you'd need the decryption key to be able to do anything with it.

#3 is not a big deal because Linux does have support for HFS+ (although as far as I know, not for the new APFS yet).

Of course if the drive is installed in another Mac, that takes care of all three and the only missing piece is the key. If the FV2 volume was bootable on the original machine, it ought to be bootable on the second one, assuming that the hardware is compatible.

As for where FV2 "resides": again, I'm not 100% sure how OSX does it. On Linux, a disk with "full" disk encryption really isn't 100% encrypted. A better term might be full partition encrypted. What you typically do is have a very small boot partition on the disk, which is unencrypted and contains the OS and whatever it needs to get started, but nothing else. That is what is run when the computer starts. When it comes time for the OS to access and mount the main (root) partition of the disk, the OS sees that it's encrypted and prompts for the decryption passphrase. So in that sense, the filevault code resides as part of the operating system. The key is not stored anywhere, and if you lose it, you lose access entirely.

You could in theory have the block decryption capability built into the computer (i.e. as EFI code). I don't think that's how Mac's do it but I could be wrong. You need the decryption capability somewhere. If it's not in the machine firmware, then you need some un-encrypted area on the disk that contains a program that can do the decryption (that program being the OS itself, in the linux case, and probably in the general case). You could even define a hardware interface with the decryption built in, although I've only seen that in high end enterprise SAN's and the like.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back