FANDOM


This guide will help you make your OSX Lion / Mountain Lion pretty much forensics proof.

Meaning that if someone was to steal your computer, he wouldn't be able to find anything useful on it. But all this in a smart way, using Plausible Deniability.

Step 1: Secure your basic Operating SystemEdit

The default way of protecting your computer with OSX Lion would be to use Filevault which is a Disk Encryption software. Unfortunately, this does NOT provide any Plausible Deniability feature (yes you should go read the Wikipedia article about it to learn what it is).

And there are many cases where you could be compelled to provide your encryption key , with a 5$ wrench, or simply by law. Indeed laws in UK or in France will get in you in jail if you don't provide the password to your encrypted system. And in some other countries like well ... the US ... there are other ways .

In all cases, your fifth amendment right, your right not testify against yourself or your right to remain silent might not help you everywhere.

This makes Filevault pretty much useless unless you're not ok with sharing your data with a thief but very much ok to share your data with the government ... Just because you know ... if you did nothing wrong then you have nothing to hide !!

So what ?

Well we're quite lucky, there are solutions to this ... There is only one actually (as far as I know) which is the wonderful and very useful software Truecrypt. There is just a little issue with it. It doesn't really support OSX when it comes to System Encryption. So we have to work around that to use Plausible Deniability on OSX.

First, let's encrypt your disk(s) !!Edit

Here is what I would recommend:

Let's say you have a 500GB disk on your OSX buy you only use like 100GB and everything is in there including your senseitive data. I'm gong to assume this is a fresh OSX with no Filevault installed at all.

  1. Resize that partition using OSX native Disk Utilityto like 250GB (You can do that online and you won't lose any data). This will take a few minutes or more depending on the size. Some Details
  2. When 1 is done , you can select the new second partition and format it using the default options.
  3. When 2 is done , Activate Filevault (yes yes you heard me) on your first partition but do NOT store the key at Apple. Choose a nice long, but easy, passphrase that you will remember (not a password) This will take a few hours.
  4. When 3 is done , go ahead and download Truecrypt and install it
  5. When 4 is done , launch Truecrypt and go encrypt the second 250GB patition (the one you created in step 1) using the hidden volume option and using the default options (AES and ripemd-160 ). Use the whole 250GB for the Outer Volume using the SAME passphrase you used in step 3 (yes yes ... let's not make things too complicated).
  6. When 5 is done , Truecrypt will ask you to copy stuff on your Outer Volume , DON'T DO SO yet, just go ahead and create the Hidden Volume within the Outer volume using like 100GB, again using the default options (AES and ripemd-160). This time you'll choose a nice, very long, not easy, passphrase that you will remember. This will be your Alamo where you will store your very sensitive data. This is what will protect you.
  7. When 6 is done , you're going to check your newly Truecrypt Outer Volume and Hidden Volume File System. Why ? Because sometimes it's not doing what you want and you'll end up with FAT32 or something which will limit the size of the files you put on there and that's why in step 6 I told you not to copy things in there YET. So go ahead and first mount the Outer Volume (without protecting the hidden volume ) and check it's HFS like it should be ... If not , Go ahead and format it. Don't format the wrong thing here, you are formatting your Outer Volume , not the whole Disk Partition which would erase the Truecrypt you just created and you'd have to re-do step 5 and 6. Then do the same with your Hidden Volume , check it's HFS and format it if not.
  8. Make sure the two volumes (the hidden and the outer) have the same name. By default it's usually "NO NAME" , you can just rename them by clicking them. Just make sure they have the same name.

The encryption part is DONE

When you reboot your OSX , you should first be prompted for your Filevault Passsword which is the first passphrase you created.

Once you're in OSX , you will launch Truecrypt and you'll mount your 250GB encrypted partition and you will activate hidden volume protection. You will do so EVERYTIME you mount the outer volume otherwise the data in the hidden volume will be messed up...

Secondly, let's protect your OS from some cold boot attacksEdit

Activate the mighty EFI Firmware password , using the tutorial from Apple.

This will actually prevent an attacker from using Firewire attack to dump your memory. It will also prevent an attacker from booting from some memory dumping Live CD / USB.

A standard password will do ... there is no need to make a 50 char passphrase here.

This measure won't save you but it will force an attacker to actually physically access your RAM to dump it. Which takes time and if you just shutdown your computer , there is little chance the attacker will be in time to freeze the RAM and recover any key/password/passphrase in memory.

'By now you should have a fully encrypted OSX computer wich a nice Firmware Password. 'Half of your disk is encrypted using Filevault and the other half using Truecrypt.


Step 2: Secure your DataEdit

Let's move some of your data on the TrueCrypt VolumeEdit

We're going to move some of your stuff on the TrueCrypt Volume

Most of your Application settings are in one hidden folder namely /Users/"MyUser"/Library/Application Support. Some can also be in /Users/"MyUser"/Library directly.

Let's say you're using Firefox and/or Chrome ,

Firefox settings including history/cache/passwords/evrything will be in /Users/"MyUser"/Library/Application Support/Firefox.

Google settings including ... will be in /Users/"MyUser"/Library/Application Support/Google/Chrome.

At this point, you should be in your OSX , with no application running (Firefox and/or Chrome) and with your 250GB Outer TrueCrypt volume Mounted (the "NO NAME").

  1. Get in your Finder and go your NO NAME encrypted Outer Volume
  2. Create a Library Folder
  3. Create an Application Support Folder inside the Library Folder
  4. Copy the Firefox and Google/Chrome Folders in there
  5. Then Dismount the Outer volume and Mount the Hidden Volume and copy those in there too (also using step 2 and 3)
  6. Then Delete the original
  7. Dismount the Hidden Volume and Re-Mount the Outer volume (using protection for the hidden volume)
  8. Open a Terminal , get into /Users/"MyUser"/Library/Application Support
  9. Now you're going to create Symbolic Links (Shortcuts "A la Unix") from the original Folder to the New locations like this
    1. ​sudo " ln -s /Volumes/NO\ NAME/Application\ Support/Firefox/ Firefox "
    2. go in /Chrome and sudo " ln -s /Volumes/NO\ NAME/Application\ Support/Google/Chrome/ Chrome "
  1. ​When that's done , just launch Chrome and/or Firefox and they should launch normally , except all the browser data is now on the TrueCrypt Volume and not on the main Filevaut Volume anymore.
  2. Now close Firefox and/or Chrome
  3. Dismount the Truecrypt Outer Volume
  4. Mount the Truecrypt Hidden Volume (the evil secret one where you'll plot World Domination)
  5. Launch Firefox and/or Chroma and again, they should launch normally (if you named the Hidden volume with the same name as the Outer Volume so "NO NAME"), except this time ... All the data is in the Hidden Volume.


Why do this ? Why not just leave those on the Filevault if this is "not so sensitive". The answer is simple ... Because depending on the password you'll put in TrueCrypt (which if you remember is the ONLY thing that will provide you Plausible Deniability) , you'll have the "very sensitive browser" or the "not so sensitive browser".

If you're facing an attacker you can then plausibly give the first passphrase you created earlier and tell him ... There you go ... That's it .. You now have access to my encrypted Filevault disk and access to my encrypted Truecrypt disk. But secretly , he only sees the Truecrypt disk with Unicorns and Poneys while the World Domination plans are still on the Hidden Volume.

But we're not done yet ...

Step 3: Clean the trail Edit

You should make it hard for any forensics expert to find anything on your computer. Especially you should make it hard for the guy to find traces of sensitive data and traces that this hidden volume exists. Here are a few steps I would do

  1. Close Chrome and/or Firefox (or any application you moved on your truecrypt)
  2. Dismount all Truecrypt Volumes
  3. Disable Syslog , yes ... this is bad ... I know. Syslog is veryuseful for troubleshooting. But it's also full of information of any kind that could leak the presence of hidden data. So I'm disabling it. Open a terminal and do:cd /System/Library/LaunchDaemons

sudo launchctl unload -w com.apple.syslogd.plist

  1. Go into Spotlight preferences and make sure you exclude NO NAME from it to prevent it from indexing anything in there (normally this should be by default)
  2. Download Onyx from http://www.titanium.free.fr/download.php
  3. Run Onyx and using the "Cleaning tab" and the "Automation tab" , just clean EVRYTHING (it will ask you to reboot , just do it)
  4. Now if you open the "Console" application, you should see the System log empty and not filling up anymore.
  5. Next step go to http://www.piriform.com/mac/ccleaner and download the nice CCleaner (or get it from the AppStore) fo MAC.... Just clean everything with it like you did with Onyx. But don't Erase the free space yet ...
  6. Check for additional logs that might have clues about your hidden stuff such as hdieject.log. Basically , it's always good to do a big grep in /var/log and subdirs to find anything that might relate to your hidden files (and subsequently delete those files).
  7. Once you're done with step 5 , with all the reboots and everything , you'll proceed to ERASE the free space on your main Filevault partition. So Open up Disk Utility again , Select your main Partition (the Filevaulted one) and proceed to "Erase Free space" , select some security option (1 pass / 3 pass) and go ahead , this might take a few hours. This should erase any trail of the stuff you moved over to truecrypt (especially the stuff you moved to the hidden part). You can also use CCleaner to erase free space !

Well , now you should have a nicely encrypted OSX system , with Plausible Deniability in place , and no trails left of sensitive data on the Filevault partition. So now if "someone" compels you to give the password , you can just give the first passphrase and it will look like everything is unencrypted.

Step 4: Change your habitsEdit

Being Paranoid is not easy, it will force you to enter a very long passphrase every time you use your computer. Actually you'll have to enter both passphrases every time (the hidden and outer one) all the time to make sure the hidden data stays protected.

So here are the key points:

  • Always remember to protect the Hidden volume when opening the Outer volume (EXCEPT OF COURSE if it's the attacker making you decrypt your system, then you'll ignore the hidden ...)
  • Never EVER leave your computer unattended and running !!! If you do that , an attacker can take it , keep it running and do a physical cold-boot attack on the RAM (opening your computer while running , freezing the RAM, taking the frozen ram out, mount it somewhere else and DUMP the whole thing including your encryption key). Frozen RAM can keep data for quite a lot of time.
  • Shutdown your computer when you leave it ... Never put it to sleep or Hybernate. This will make sure the RAM is powered off and that the data remaining it it is "decaying" properly (takes usually about 2-3 minutes to vanish)
  • Don't let anyone else than you use your computer (yep this guide is for paraonoid people ...) because they might install something like a Keylogger. If it's an attacker and if they're smart , they could also take an image of your disk at several times and use that information to guess the presence of a Hidden Volume. Then they could compel you to reveal the passphrase to that one too. The key here is to keep this hidden volume hidden.
  • Don't use time machine backups because those are UNENCRYPTED by default
  • Do use the "not sensitive side" , the "outer volume" every day to prove to an eventual attacker it's not a decoy , it should be what you use every day for normal web usage.
  • Don't talk to anyone about this , they could be compelled to testify against you
  • Don't talk write down the sensitive passphrase anywhere (the other one ... it should be ok ... it might even help you look like you're "not so smart" to an attacker and you can then take a sad/surprised face)
  • It's VERY IMPORTANT that you UNDERSTAND and READ and APPLY everything here : http://www.truecrypt.org/docs/?s=hidden-volume-precautions


By now you should of course understand why we HAVE to use Keyvault AND Truecrypt to achieve this level of protection (the one with Plausible Deniability). Until maybe some day Truecrypt will also support pre-boot authentication on Mac Computers running OSX. Then we'll be able to have a Hidden Operating System (and a decoy one) excatly like on Windows