FileVault is Apple’s "Full Disk Encryption" utility. When enabled, the contents of the entire HFS+ (Mac OS X) volume is encrypted with 256-bit encryption. The only method to easily decrypt the data on the volume is to successfully enter the user’s password.
On occasion a forensic examiner will be faced with a Mac computer that is running and unlocked. In this instance, the examiner needs to determine if the system is running FileVault before commencing any preview of the computer.
Using Terminal.app (/Applications/Utilities), enter the command "fdesetup status" and press return. Terminal will display whether FileVault is on or off.
For more information on the "fdesetup" command, type "fdesetup man" in Terminal.
If the computer is off, the examiner can start it up in single user mode (with Command-S). A Terminal window opens, and from this window the examiner can run the same command. The result will tell whether the computer contains a FileVault volume.
Note: When in single user mode, care should be taken as the examiner is logged in as the root user! Permanent damage can be done to the data on the computer if the wrong command is entered.
Now you know.
If you would like more information on BlackBag software, or training, contact BlackBag Technologies' training team today.