How to make sector level copy of external hard drive with FileVault 2 enabled?
How do I make a "sector level" copy of a 4TB external hard drive that contains Filevault 2-encrypted partitions? The hard drive has three partitions each encrypted using Filevault 2. I have all three of the filevault keys if it matters. I case I'm using the wrong term, by "sector level" I mean an exact copy of the drive bit for bit including deleted information.
For background - I am working to recover some photos. I want to recover a subfolder and files contained within using data recovery software. When I run a scan using disk recovery software on my external drive I'm told I get erroneous results because Filevault 2 is on. I had used the partition cloning feature contained within the data recovery software I am using but am told by the software company who makes it that it won't work accurately with Filevault drives/partitions. An independent data recovery professional told me I need to first make a sector level copy of the external drive, then decrypt that copy, then run the scan with the data recovery software to see correct results.
Thank you for your assistance!
P.S. Adding specific drive info. /dev/disk6/ is input disk (4 TB with the 3 FileVault 2 partitions) and /dev/disk3 is output disk (labelled 4-output which is a blank 4TB) (FYI: disk2, disk4, and disk5 are within the same JBOD now which I'll unmount other disks or physically pull when I do DD to be safe).
Mikes-MacBook-Pro-3:~ mikej$ diskutil list
/dev/disk0 (internal, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *251.0 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_CoreStorage Mike HD 250.1 GB disk0s2
3: Apple_Boot Recovery HD 650.1 MB disk0s3
/dev/disk1 (internal, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Mike HD +249.8 GB disk1
Logical Volume on disk0s2
6E587EBB-2506-41F2-85D2-8F6997BF22D6
Unlocked Encrypted
/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *4.0 TB disk2
1: EFI EFI 209.7 MB disk2s1
2: Apple_HFS 2a-MirrorIncremental 4.0 TB disk2s2
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *4.0 TB disk3
1: EFI EFI 209.7 MB disk3s1
2: Apple_HFS 4-output 4.0 TB disk3s2
/dev/disk4 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *4.0 TB disk4
1: EFI EFI 209.7 MB disk4s1
2: Apple_HFS 1-MasterStorage 4.0 TB disk4s2
/dev/disk5 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *4.0 TB disk5
1: EFI EFI 209.7 MB disk5s1
2: Apple_HFS 3-scratch 4.0 TB disk5s2
/dev/disk6 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *4.0 TB disk6
1: EFI EFI 314.6 MB disk6s1
2: Apple_CoreStorage Clone 1.0 TB disk6s2
3: Apple_Boot Boot OS X 134.2 MB disk6s3
4: Apple_CoreStorage MJTimeMachine 499.8 GB disk6s4
5: Apple_Boot Boot OS X 134.2 MB disk6s5
6: Apple_CoreStorage Media 2.5 TB disk6s6
7: Apple_Boot Boot OS X 134.2 MB disk6s7
/dev/disk7 (external, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS MJTimeMachine +499.4 GB disk7
Logical Volume on disk6s4
268E67C3-6199-4E50-99FA-E85322903D95
Unlocked Encrypted
/dev/disk8 (external, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFSX CloneMikeHD +1000.0 GB disk8
Logical Volume on disk6s2
DAA42A81-D781-4B45-A516-0342CB137788
Unlocked Encrypted
/dev/disk9 (external, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFSX Media +2.5 TB disk9
Logical Volume on disk6s6
BE5B9EBC-6DCB-49C5-B055-B00C49864795
Unlocked Encrypted
Mikes-MacBook-Pro-3:~ mikej$ sudo gpt -r show disk3
Password:
start size index contents
0 1 PMBR
1 1 Pri GPT header
2 32 Pri GPT table
34 6
40 409600 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
409640 7813365344 2 GPT part - 48465300-0000-11AA-AA11-00306543ECAC
7813774984 262151
7814037135 32 Sec GPT table
7814037167 1 Sec GPT header
Mikes-MacBook-Pro-3:~ mikej$ sudo gpt -r show disk6
start size index contents
0 1 PMBR
1 1 Pri GPT header
2 4 Pri GPT table
6 76800 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
76806 244231258 2 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
244308064 32768 3 GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
244340832 122021070 4 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
366361902 32768 5 GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
366394670 610318797 6 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
976713467 32768 7 GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
976746235 4 Sec GPT table
976746239 1 Sec GPT header
Solution 1:
At least Carbon Copy Cloner is just a wrapper for either dd
or rsync
. I suspect that it's the same with SuperDuper!.
Since both tools (of which rsync
is not needed here) are already included in OS X you don't have to buy it.
To clone one drive to another you have to prepare the source and the target drive.
Most sizes and commands containing sizes, disk identifiers or paths etc. below are just examples. You have to replace them by respective values found in your set up/listings.
- Mark the source drive with a red sticker, if the source and target drive have identical cases!
- Attach both drive but don't mount the encrypted FileVault volume. If it is already mounted unmount it. Detach all other external drives.
-
Open Terminal and enter
diskutil list
to get an overview. You will get a list of all attached drives similar to this one - your output may slightly differ):/dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *121.3 GB disk0 1: EFI EFI 209.7 MB disk0s1 2: Apple_CoreStorage 121.0 GB disk0s2 3: Apple_Boot Boot OS X 134.2 MB disk0s3 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *3.0 TB disk1 1: EFI EFI 209.7 MB disk1s1 2: Apple_CoreStorage 3.0 TB disk1s2 3: Apple_Boot Recovery HD 650.0 MB disk1s3 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS Macintosh HD *3.1 TB disk2 /dev/disk3 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *4.0 TB disk3 1: EFI EFI 314.6 MB disk3s1 2: Apple_CoreStorage Encrypted 4.0 TB disk3s2 3: Apple_Boot Boot OS X 134.2 MB disk3s3 /dev/disk4 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *4.0 TB disk4 1: EFI EFI 314.6 MB disk4s1 2: Apple_HFS Data 4.0 TB disk4s2
Now you have to analyze the output. Here disk0 and disk1 are a 3.1 TB Fusion drive with the CoreStorage volume mounted as disk2. Disk3 is obviously the encrypted disk with deleted data which should be cloned. Disk4 is a spare drive and the target of the clone task. Disk4 has to have at least the same size as disk3! Check this with
diskutil info disk3
anddiskutil info disk4
.Below I assume disk3 is the source and disk4 is the target of the clone task. Your disk identifiers may be different (e.g. disk2 and disk3)
-
Check the device block sizes with
diskutil info disk3 | grep "Device Block Size:" diskutil info disk4 | grep "Device Block Size:"
Usually the Device Block Size of ≥4 TB drives is 4096 Bytes. If the block sizes of disk3 and 4 are equal you are fine.
-
Now get the partition tables of the external drives with
sudo gpt -r show diskX
. The output should be similar to the one below:sudo gpt -r show disk3 start size index contents 0 1 PMBR 1 1 Pri GPT header 2 4 Pri GPT table 6 76800 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B 76806 976636661 2 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC 976713467 32768 3 GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC 976746235 4 Sec GPT table 976746239 1 Sec GPT header sudo gpt -r show disk4 start size index contents 0 1 PMBR 1 1 Pri GPT header 2 4 Pri GPT table 6 76800 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B 76806 976636711 2 GPT part - 48465300-0000-11AA-AA11-00306543ECAC 976713517 32768 976746285 4 Sec GPT table 976746289 1 Sec GPT header
Start and size values are block numbers or blocks. Block numbering starts at block 0! In my example disk4 is slightly bigger (50 blocks) than disk3.
First you have to create identical "mirror" partition entries on disk4 (with the same values as those on disk3).
-
Unmount the target drive:
diskutil umountDisk disk4
-
Destroy and recreate the GUID partition table (and/or remove an MBR partition table) of the target drive:
sudo gpt destroy disk4 sudo gpt create -f disk4
-
get an overview of disk4 with
sudo gpt -r show disk4
. It should look like this:start size index contents 0 1 PMBR 1 1 Pri GPT header 2 4 Pri GPT table 6 976746279 976746285 4 Sec GPT table 976746289 1 Sec GPT header
-
Now recreate the first two partitions of disk 3 with the values of disk3 on disk4:
sudo gpt add -i 1 -b 6 -s 76800 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B disk4 sudo gpt add -i 2 -b 76806 -s 976636661 -t 53746F72-6167-11AA-AA11-00306543ECAC disk4
This will only modify the GUID partition table (the first 6 and the last 5 blocks) of disk4.
-
Recheck the partition table of disk4 with
sudo gpt -r show disk4
. It should look like this now:start size index contents 0 1 PMBR 1 1 Pri GPT header 2 4 Pri GPT table 6 76800 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B 76806 976636661 2 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC 976713467 32818 976746285 4 Sec GPT table 976746289 1 Sec GPT header
-
Now clone the content of disk3s1 and disk3s2 to disk4s1 and disk4s2:
sudo dd if=/dev/disk3s1 of=/dev/disk4s1 bs=1m sudo dd if=/dev/disk3s2 of=/dev/disk4s2 bs=1m
Clone disk3s3 to a file:
sudo dd if=/dev/disk3s3 of=/Users/user_name/Desktop/bootosx.cdr bs=1m
Replace user_name by your short user name.
Cloning the first partition (300 MiB) is fast (~3.5 seconds). Cloning the second partition (4 TB) will take about 11 hours (USB3/Thunderbolt) or 30-50 hours (USB2).
-
Unmount the source drive:
diskutil umountDisk disk3
and detach it. Check if the target drive still is disk4:
diskutil list
. -
add the third partition on disk4:
sudo gpt add -i 3 -b 976713467 -s 32768 -t 426F6F74-0000-11AA-AA11-00306543ECAC disk4
-
Clone bootosx.cdr to disk4s3:
sudo dd if=/Users/user_name/Desktop/bootosx.cdr of=/dev/disk4s3 bs=1m
After the cloning to the last partition on the target disk is done, you should be asked for the FileVault password.
Don't attach the source and the target drive at the same time on one Mac. They have identical UUIDS for the LVG/PV/LVF/LV (the CoreStorage Volume Group containing the FileVault container) and I don't know if and how they "coexist".
Adaption to the actual set up of the OP
The target disk (disk3) has a different Device Block Size (512 Byte). The source disk has several FileFault2 volumes.
Under these circumstances some partition table values of the target disk (disk3) have to be adjusted and only one of the CoreStorage partitions has to be cloned with dd
.
-
Unmount the target drive:
diskutil umountDisk disk3
-
Destroy and recreate the GUID partition table (and/or remove an MBR partition table) of the target drive:
sudo gpt destroy disk3 sudo gpt create -f disk3
-
get an overview of disk3 with
sudo gpt -r show disk3
. It should look like this:start size index contents 0 1 PMBR 1 1 Pri GPT header 2 32 Pri GPT table 34 7814037101 7814037135 32 Sec GPT table 7814037167 1 Sec GPT header
-
Now recreate the first and the sixth partition of disk 6 with modified values on disk3. Since the Device Block Sizes of the two disks are different you have to recalculate start blocks and sizes (usually by multiplying with 8):
sudo gpt add -i 1 -b 40 -s 614400 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B disk3 sudo gpt add -i 2 -b 614440 -s 4882550376 -t 53746F72-6167-11AA-AA11-00306543ECAC disk3
This will only modify the GUID partition table of disk3.
-
Recheck the partition table of disk3 with
sudo gpt -r show disk3
. It should look like this now:start size index contents 0 1 PMBR 1 1 Pri GPT header 2 32 Pri GPT table 34 40 40 614400 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B 614440 4882550376 2 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC 4883164816 2930872319 7814037135 32 Sec GPT table 7814037167 1 Sec GPT header
-
Now clone the content of disk6s1 and disk6s6 to disk3s1 and disk3s2:
sudo dd if=/dev/disk6s1 of=/dev/disk3s1 bs=1m sudo dd if=/dev/disk6s6 of=/dev/disk3s2 bs=1m
Clone disk6s7 to a file:
sudo dd if=/dev/disk6s7 of=/Users/user_name/Desktop/bootosx.cdr bs=1m
Replace user_name by your short user name.
Cloning the first partition (300 MiB) is fast (~3.5 seconds). Cloning the FileVault partition (2.5 TB) will take about 7 hours (USB3/Thunderbolt) or 20-35 hours (USB2).
-
Unmount the source drive:
diskutil umountDisk disk6
and detach it. Check if the target drive still is disk3:
diskutil list
. -
add the third partition on disk3:
sudo gpt add -i 3 -b 4883164816 -s 262144 -t 426F6F74-0000-11AA-AA11-00306543ECAC disk3
-
Clone bootosx.cdr to disk3s3:
sudo dd if=/Users/user_name/Desktop/bootosx.cdr of=/dev/disk3s3 bs=1m
- After the cloning to the last partition on the target disk is done, you should be asked for the FileVault password.
- If you don't get a password prompt, you can mount it by entering
diskutil cs list
anddiskutil cs unlockVolume LVUUID
(with LVUUID: UUID of the encrypted CoreStorage volume - in your case probably BE5B9EBC-6DCB-49C5-B055-B00C49864795)
Please add a comment (with @klanomath) if you don't get a password prompt or run into problems.
Solution 2:
I suggest using Carbon Copy Cloner, as I have for years. It can duplicate any volume, even if it is a bootable HDD and FileVault 2 protected, however it costs around $50. There is also Shirt Pocket's SuperDuper, that costs $39.55.