What is FileVault and its forensic implications?

FileVault is macOS full-disk encryption that protects data at rest by encrypting the entire startup disk and requiring authentication to unlock it at boot. This means the raw disk image you acquire is unreadable without the decryption key, much like BitLocker on Windows. Forensically, the key question becomes: do you have access to the password or recovery key, or can you obtain the key from memory if the system is on? If the device is unlocked, a forensic image can be analyzed like any other disk, and typical artefacts and file content are accessible. If the device is locked or the key isn’t available, data on the disk remains inaccessible, which slows or blocks data acquisition unless volatile memory is captured (where keys may transiently reside) or external backups or escrowed keys are involved. FileVault thus both protects data and adds a hurdle for investigators, makingCredential access and pre-boot authentication critical factors in the forensic process.