-
Notifications
You must be signed in to change notification settings - Fork 33
Home
Joachim Metz edited this page Jul 15, 2022
·
8 revisions
libfvde is a library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion (10.7), to encrypt data on a storage media volume.
Project information:
- Status: experimental
- Licence: LGPLv3+
Supported Core Storage / FileVault2 implementations:
- Mac OS X Lion (10.7)
- Mac OS X Mountain Lion (10.8)
- Mac OS X Mavericks (10.9)
- Mac OS X Yosemite (10.10)
- Mac OS X El Capitan (10.11)
- macOS Sierra (10.12)
- macOS High Sierra (10.13)
- macOS Mojave (10.14)
- macOS Catalina (10.15)
Supported encryption volume types:
- removable media volume - with encrypted context (initial support as of 20121113 version)
- system volume
- multiple logical volumes
Supported protection methods:
- password
- recovery password
- VMK key data (as of 20121114 version)
Unsupported Core Storage format features:
- multiple physical volumes
Also see:
- VileFault; for accessing FileVault encrypted disk images (or user directories)
- Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption
- Security Analysis and Decryption of FileVault 2
If you find this project useful please cite the following paper in your publications:
Omar Choudary, Felix Grobert and Joachim Metz. "Security Analysis and Decryption of Filevault 2", in Advances in Digital Forensics IX, IFIP Advances in Information and Communication Technology 410, 2013, pp 349-363.
Work in progress:
- DEFLATE compressed XML plist
- removable media volume - without encrypted context
- removable media volume - decrypted
- extend CoreStorage volume support
- partial encrypted volumes
Planned:
- Dokan support
For more information see: