Mac OS X stores user login passwords in system memory even if the computer is locked or put into a sleep mode.
The vulnerability is present in all modern versions of Mac OS X, including Mac OS X 10.6 Snow Leopard and Mac OS X 10.7 Lion.
This enables Passware Kit Forensic 11 to capture live Mac computer memory over FireWire and analyzes it, extracting these passwords.
The process takes a few minutes, regardless of the password strength and use of FileVault encryption.
The security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the “Automatic Login” setting. This way, passwords will not be present in memory and cannot be recovered.
Passware Kit Forensic provides immediate password recovery for any protected file detected on a PC or over the network while scanning, revealing hidden and protected data files on a suspect’s computer.
This tool, complete with FireWire memory imaging module, is the first and only commercial software that decrypts BitLocker and TrueCrypt hard disks, and instantly recovers or bypasses Mac and Windows login passwords of seized computers.