Difference between pages "Research Topics" and "File Vault"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
; Research Ideas
+
File Vault is the cryptographic file system developed by [http://www.apple.com Apple] and introduced with MacOS 10.3.
  
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.  
+
File Vault works by storing each user's home directory in an encrypted "[[.sparseimage]]" file. The file is automatically mounted when the user logs in and unmounted when the user logs out. All of the user's files and preferences are stored in this file.  The file's encryption key is stored in the .sparseimage file, but that encryption key is itself encrypted with the user's login password.  
  
; Stream Based Disk Forensics.
+
There are no known attacks against File Vault other than a brute force attack on the user's password.
: Process the entire disk with one pass, or at most two, to minimize seek time.
+
  
; Automatically detect falsified digital evidence.
+
As part of the [http://www.apple.com/macosx/features/300.html#security security enhancements] in OS X 10.5 (Leopard) Apple have moved from AES-128 to AES-256 for the encryption used in the disk image.
  
; Detect and diagnose sanitization attempts.
+
=== Links ===
 
+
*You can find a good discussion of File Vault's usability shortcomings in [http://www.simson.net/thesis Simson Garfinkel's PhD Thesis].
 
+
*[http://chaosradio.ccc.de/23c3_m4v_1642.html Unlocking FileVault] Talk at [http://events.ccc.de/congress/2006-static/static/2/3/r/23rd_Chaos_Communication_Congress_7c1f.html 23c3] (video)
==[[AFF]] Enhancement==
+
*[http://chaosradio.ccc.de/23c3_mp3_1642.html Unlocking FileVault] Talk at [http://events.ccc.de/congress/2006-static/static/2/3/r/23rd_Chaos_Communication_Congress_7c1f.html 23c3] (audio)
; Replaceme the AFF "BADFLAG" approach for indicating bad data with a bad sector bitmap.
+
 
+
; Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
+
 
+
; Improve the data recovery features of aimage.
+
 
+
; Replace AFF's current table-of-contents system with one based on B+ Trees.
+
 
+
==Decoders and Validators==
+
; Create a JPEG decompresser that supports restarts and checkpointing for use in high-speed carving.  
+
 
+
==Cell Phones==
+
Develop source tools for:
+
; Imaging the contents of a cell phone memory
+
; Reassembling information in a cell phone memory
+
 
+
 
+
==Corpora Development==
+
===Realistic Corpora===
+
* Simulated disk imags
+
* Simulated network traffic
+
===Real Data===
+
* Digital Cameras
+
* Cell phones
+
* USB Memory Sticks ''below'' the logical layer.
+

Revision as of 04:41, 26 October 2007

File Vault is the cryptographic file system developed by Apple and introduced with MacOS 10.3.

File Vault works by storing each user's home directory in an encrypted ".sparseimage" file. The file is automatically mounted when the user logs in and unmounted when the user logs out. All of the user's files and preferences are stored in this file. The file's encryption key is stored in the .sparseimage file, but that encryption key is itself encrypted with the user's login password.

There are no known attacks against File Vault other than a brute force attack on the user's password.

As part of the security enhancements in OS X 10.5 (Leopard) Apple have moved from AES-128 to AES-256 for the encryption used in the disk image.

Links