Researchers demonstrate how an encrypted macOS hard drive can still leak unprotected data via the operating system s Finder and QuickLook feature. Apple security expert Patrick Wardle revealed that a macOS feature called QuickLook stores unprotected previews of images and other file types. Both researchers note that this type of unprotected data could be a boon for forensic investigators, attackers, or a government’s prying eyes. The solution is to unmount the encrypted container, then manually clear and delete the QuickLook cache, Wardle wrote.
Source: https://threatpost.com/macos-quicklook-feature-leaks-data-despite-encrypted-drive/132905/