        Advisory Name: FileVault Leaves Unencrypted Home Data Behind         Release Date: 2003 November 6     Affected Product: Mac OS X 10.3 Build 7B85               Impact: Unencrypted Data Left Behind                Where: Local System               Author: CodeSamurai (codesamurai@mac.com)          ## OVERVIEW ##It is possible to recover the remnant data of a home folder to which FileVault has been enabled.  In other words, FileVault doesn't clean up 
after itself (securely).## DETAILS ##Most would assume, that by enabling FileVault on their home folder, that it 
"protects all the info in your home folder from prying eyes"[1] as stated 
on Apple's web site.  And granted, this is true of the data which is in 
FileVault; however, the security in regards to the process of enabling 
FileVault on an existing home folder leaves a little to be desired; as the 
data before FileVault is enabled is insecurity left behind in the hard 
drive's free space.FileVault itself is an AES-128 encrypted disk image, and when it's enabled 
on a home folder, that home folder's contents are copied to the disk image 
and securely stored there; but when the original home folder is erased, it 
is done so without doing a secure erasure.  This means that file recovery 
programs will be able to recover some, if not most, of that user's home 
directory data in the condition it was before the transfer to FileVault.  
So, the data is left behind, unencrypted, with the user under the false 
impression that that data is now only located in secure containment of 
FileVault.## RECOMMENDATIONS ##To resolve this, one could use a program to securely wipe the free space of 
their hard disk; or, if they're doing a fresh install of Panther, to copy 
their backups back over to their hard drive after FileVault has been 
enabled.  (The latter of which is stated under the assumption that the user 
is installing Panther on a new hard drive or that the drive has already 
been written over with zeros via Apple's Disk Utility or securely erased 
otherwise; because, for obvious reasons, the data of the previous 
installation will be still left behind in the hard drive's free space 
anyway.)## CITE AND RELATED LINKS ##[1] http://www.apple.com/macosx/features/filevault/http://www.apple.com/macosx/features/security/