Recover deleted Encrypted OS X Extended volume

macos partition hard-drive data-recovery encryption

Solution 1:

Under certain circumstances a deleted external HFS+ encrypted volume can be recovered after the disk has been formatted to a FAT32 volume:

  • The whole disk has been encrypted (to one volume).
  • The whole disk has been formatted to one FAT32 volume. The GUID partition table has not been replaced by an MBR. The disk still has an MBR (instead of a PMBR) though.
  • Some internal invisible CoreStorage data structures mustn't be overwritten.
    • the CoreStorage volume header structure at the (previous) volume block 0 (= disk block 409640)
    • a second block at the (previous) volume block 8 (= disk block 409648)
    • an encrypted metadata block starting at the 577456th last block and ending at the 573360th last block (size 4096 blocks)
    • several Disk Label metadata items in the last 16392 blocks of the (previous) volume

If nothing has been written to the FAT32 volume those parts shouldn't be overwritten.

To recover the encrypted volume you have to use Terminal and do some math.

  1. Detach any external drive except the mal-formatted one

  2. Open Terminal and enter:

    diskutil list

    to get an overview and the disk identifier of the external disk. Below I assume the disk identifier is disk1

  3. Make a backup of the whole disk with sudo dd if=/dev/disk1 of=/Volumes/BackupVolume_Name/disk1.bin just in case something goes wrong or for a future with advanced recovery tools.

  4. Now get the partition table of the disk with:

    sudo gpt -r show /dev/disk1

    You should get a similar result as this one:

          start       size  index  contents
          0          1         MBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6         
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640       2008         
     411648  133804032      2  GPT part - EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
  134215680       2015         
  134217695         32         Sec GPT table
  134217727          1         Sec GPT header

    The first partition is the EFI volume, the second the FAT32 volume of the external disk. Your partition 2 is much larger than the one in the example though.

    Even if you get a different output with no GUID partition table but only an MBR 

          start       size index   contents
          0          1         MBR 
          1          1 
          2  134217726     1   MBR part 11

    you can continue: encrypting a disk with FileVault requires a GUID partition table - so your disk previously had one. The probability to recover a FAT volume on a disk with a MBR seems to be much lower though. Apparently parts (namely some metadata and volume headers) may be overwritten by FAT32 file system stuff.

    The same disk containing an encrypted external HFS+ volume should look like this:

          start       size  index  contents
          0          1         PMBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6         
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  133545904      2  GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
  133955544     262144      3  GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
  134217688          7         
  134217695         32         Sec GPT table
  134217727          1         Sec GPT header

    The first partition is the EFI partition with a fixed size and start block, the third one is an Apple_Boot partition with a fixed size and start block relative to the last block of the disk and the remaining disk space allocated to the encrypted Core Storage Logical Group. All partitions are aligned to the physical block size of the disk (4096 Bytes).

  5. To restore the old partition table you have to unmount the disk, delete the actual partition table and do some math to create a new one:

    diskutil umountDisk /dev/disk1
sudo gpt destroy /dev/disk1
diskutil umountDisk /dev/disk1
sudo gpt create -f /dev/disk1
gpt add -b 40 -i 1 -s 409600 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B disk1

  6. Now get the last block number of your disk (in my example that's 134217727) and substract 262183: LastBlockNumber-262183 is the start block of the 3rd partition (Apple_Boot). Add this partition with:

    gpt add -b LastBlockNumber-262183 -i 3 -s 262144 -t 426F6F74-0000-11AA-AA11-00306543ECAC disk1

  7. Check the size of the unallocated disk space between partition 1 and partition 3 with:

    sudo gpt -r show /dev/disk1

  8. The size of unallocated disk space (UnAlloc) between index 1 and index 3 is probably the size of the old encrypted volume. The size has to be divisible by 8 - please check this! Add this as a partition with:

    gpt add -b 409640 -i 2 -s UnAlloc -t 53746F72-6167-11AA-AA11-00306543ECAC disk1 #with UnAlloc= size of unallocated disk space found above

  9. After entering the last command you should be asked for password of the encrypted disk. if not then try:

    diskutil cs list

    to get a list of CoreStorage items. Try to mount the encrypted volume with:

    diskutil cs unlockVolume LVUUID

    with LVUUID: the UUID of the encrypted Logical Volume (usually the last one listed). If your main volume is also encrypted choose the proper LVUUID!

    If the volume mounts successfully save the most important files and folders to an external volume because mounting the encrypted volume doesn' t necessarily mean that the volume isn't corrupted.

    Unmount the volume and run diskutil verifyDisk /dev/disk1 and diskutil repairDisk /dev/disk1. The last command may completely corrupt the disk!

This might still fail. The encrypted volume may still be recoverable though. But then I need more information, because special (invisible) non-file system items have to been read directly from disk with a HexEditor and then restored/replaced.

Solution 2:

I followed Klanomath's reply above to successfully recover my Macintosh HD. I had tried to resize it from ubuntu (Bootcamp) and completely stopped seeing my Macintosh HD partition. I had tried several posts and tools to write and rewrite partition tables without success and was about to give up. I followed the steps #5 to #8 from the post.

I did # 5 and assumed that my EFI would've started at 40 and had the same size 409600. The following screenshot from stellar recovery showed advanced volume starting at 40 so it gave me some hope that my EFI at least started at the same sector. enter image description here Result from my machine:

 diskutil umountDisk /dev/disk4
Unmount of all volumes on disk4 was successful
 sudo gpt destroy /dev/disk4
 diskutil umountDisk /dev/disk4
Unmount of all volumes on disk4 was successful
 sudo gpt create -f /dev/disk4
 gpt add -b 40 -i 1 -s 409600 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B disk4
disk4s1 added

For #6, here was the output from my machine:

$ sudo gpt -r show /dev/disk4
Password:
      start       size  index  contents
          0          1         PMBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  976695387
  977105027         32         Sec GPT table
  977105059          1         Sec GPT header

I had the last block of my hard disk (977105059), now what should be my third (last) partition whose size I should subtract from the end? (I remembered that I used to have a Recovery disk, a ubuntu disk in addition to the Macintosh HD. Also, testdisk had showed me dozens of lost recovery partition, which I guessed based on their sizes, but I couldn't pick between them). So I referred to the above screenshot again (stellar recovery). At this point I have seen and know that a mac Recovery HD is about 600ish MB so I have a few candidates from above screenshot. According to this post, the starting sector needs to be able to completely dividable by 8, which only worked for 'Lost Volume 6' from the screenshot.

So that gave me the starting sector (975835488) but what about the size? Well, from a few screenshots from a couple days ago of testdisk scan results (which showed me dozens of lost recovery disk partitions) I had noticed that though all of their starting sectors were different, their sizes were the same i.e. 1269536 (see screenshot below). This gave me confidence that this was the right size (in sectors) for a mac Recovery HD. enter image description here So I ran the following command (using Starting sector:975835488, Size in sectors:1269536)

gpt add -b 975835488 -i 3 -s 1269536 -t 426F6F74-0000-11AA-AA11-00306543ECAC disk4
disk4s3 added

For #7, to show the most recent status of 'gpt -r show':

$ sudo gpt -r show /dev/disk4
Password:
      start       size  index  contents
          0          1         PMBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  975425848
  975835488    1269536      3  GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
  977105024          3
  977105027         32         Sec GPT table
  977105059          1         Sec GPT header

At this point I was like, "Oh okay, so my partition table looks slightly similar to the guy's in the post, but that's obviously not gonna do anything".

It was about 2 AM at that point and I just want to go through all the steps to discard yet another post because 'I tried that too'. So I'm kinda rushing through it still trying to get the numbers right.

So now for #8, from my last screenshot, 975425848 is the size, and 409640 is the starting sector for my partition that's supposed to be in the middle (aka. Macintosh HD). So I go ahead, still without much hope, and execute the following command:

gpt add -b 409640 -i 2 -s UnAlloc -t 53746F72-6167-11AA-AA11-00306543ECAC disk4
usage: gpt add [-b lba] [-i index] [-s lba] [-t uuid] device ...

oops, I actually have to write the size in place of 'UnAlloc'. I missed this from the guy's comments: with UnAlloc= size of unallocated disk space found above

second try:

gpt add -b 409640 -i 2 -s 975425848 -t 53746F72-6167-11AA-AA11-00306543ECAC disk4
disk4s2 added

This time the command took a couple of seconds to produce an output which got my heart racing. As soon as it produced the result (disk4s2 added) it asked me for a password for my "Macintosh HD" and I am jumping in my seat as I input the password that I can remember and voila, the disk shows up and so does all my data!!

After 4 full days of effort and freakout that I had lost all my work and my photo library, I couldn't believe it worked. Thank you, klanomath. Thank you, God.

p.s. I did all this on another mac with the original mac connected to it via thunderbolt in target disk mode. The Stellar Recovery software was executed on the mac too while test disk results were from a ubuntu live cd on the original mac (though I'm sure I could've ran testdisk on the second mac too albeit slower)

Related

Unable to boot up my Mac. Getting a flashing folder with a question mark
Retrieve Voice Memos from device?
Completely synchronise multiple Macs
Will an iOS reinstall make a jailbroken iOS device "unjailbroken" and “supported by Apple” again?
How can I watch a side-by-side 3D video in 2D?
Check DVD region code from command line
How to remove the message "This copy of Windows is not genuine" (build 7601)
Formula for time calculation within one cell
Converting TXT to CSV with a complex custom delimiter
Windows 10 restarts suddenly without any prompt - lpksetup
After a while downloading torrents my network card stops working properly
Wifi connection drops when using torrent clients