Data recovery from Apple FileVault / Encrypted Disk Images

I had a message a few weeks ago from a random guy from Italy, who had found a post of mine about rewriting GPT tables on OSX, and wondered if I could help him recover data from an encrypted disk image that had screwed up when he tried to resize it, and that said no valid partitions when he mounted it. That was an exciting exercise. Fortunately it’s easy to make a master copy, in case you screw it up.

First problem: If OSX fails to find any filesystems after attaching an encrypted disk image, it detaches them. Solution to that is to run it from the command line – “hdiutil attach /path/to/file -nomount”

Peering in with gdisk, it was clear there wasn’t a partition there. We then tried recreating the GPT, by using the metadata to create an identical image, and then create the correct partitions at the correct offsets. That didn’t work, unfortunately, but it was fun to try.

Eventually we left the image attached without attempting to mount filesystems, and he was able to use photorec to recover most of the files out of there. So it wasn’t perfect, but it worked in the end – it was a fun challenge, and troubleshooting this over Facebook Messenger added to it.

If you go to enough effort to find me on Facebook, and you’re half way to a solution, I’m sometimes up for one.

alex

Leave a Reply

Your email address will not be published. Required fields are marked *