Sunday, July 31, 2011

The Mighty Lion

Snow Leopard 10.6 wasn't much of a problem from the forensics perspective and left paws imprints all over the snow. It had no TRIM enabled by default and FileVault was not particularly difficult to deal with. Advanced users could install TRIM for their SSD drives by using TRIM Enabler 1.1 but this wasn't wide spread. Apple OS X Lion 10.7 came and the game has changed.

The new OS adds support for the TRIM command and it is turned ON by default. TRIM allows OS-level garbage collection and also assists with wear-levelling and fragmentation, as well as reducing write amplifications and improves random writes speed. Basically if an operating system supports TRIM, delete really does mean delete, not just flagging space as available.

OS X Lion also introduces "FileVault 2", which instead of merely encrypting user home folders, now offering "Full Disk Encryption". Upon upgrading existing users are offered to upgrade to "FileVault 2". Old FileVault, lets call it "FileVault 1" is also supported but only for existing users of "FileVault 1". The new encryption method uses XTS-AES 128-bit encryption. When "FileVault 2" is enabled, a user is presented with the option to create a recovery key.

WARNING: You will need your login password or a recovery key to access your data. A recovery key is automatically generated as part of this setup. If you forget both your password and recovery key, the data will be lost.

Recovery key: CCQP-DDA3-XDSF-5656-UHGX-MTN8

Additionally, Apple now provides with an option to store the recovery key with them, which I am sure will be useful for both, forgetful users and law-enforcement.

No comments: