University of California, Santa Cruz
With the launch of Mac OS X 10.7 (Lion), Apple has introduced a volume encryption mechanism known as FileVault 2. Apple only disclosed marketing aspects of the closed-source software, e.g. its use of the AES-XTS tweakable encryption, but a publicly available security evaluation and detailed description was unavailable until now. The authors have performed an extensive analysis of FileVault 2 and they have been able to find all the algorithms and parameters needed to successfully read an encrypted volume. This allows them to perform forensic investigations on encrypted volumes using their own tools.