Hi there,
I have here a external hd that was formerly password-secured via disk utility as mac os extended (journaled, encrypted). This hd was accidently reformatted as mac os extended journaled. The former password is known, the drive not touched since reformatting. Is there any way or tool to get old data back?
Yours,
Tom
Data Rescue could help you. I use it to recover data for customers who have failing or reformatted drives.
It's worth a shot but it is $99.
It was encrypted and then you formatted it?
I'd say the chances of recovery are about 0.0000000000000000000000000000000000000000346%.
The short answer is no. It does depend on how much cash you are willing to throw at it for a small chance of success.
There really is no chance of recovery. On an encrypted drive, if the key is wiped, or overwritten even partially, it is mathematically impossible to recovery ANYTHING.
I hoped that this would become a rather academic discussion, since I also believe that all data is lost forever and I'm also sure that no common mac utility (like Data Rescue) can recover anything since they all mention nothing on their websites about encrypted discs.
Since there is nothing really fancy on the drive, I would like to stick William mentioning the "wiped key". Is there any chance for the key to survive a reformatting and how could this be? Can you point to any information about that.
Yours
Tom
If you did a simple format, all that changed was the file table was erased and replaced with a "clean slate". All of the information is still on the drive (assuming you haven't written new data to it). If you did a zero erase, it's gone.
For a simple erase, FileSalvage or Data Rescue will attempt to recover as much data as either can find. You need a separate drive/partition to save the data to. You cannot choose the same drive you're trying to save data from, for the rather obvious reason.
Because UNIX erases the file table entry of any file or folder you remove, the only way to find erased data is to scour the entire drive for BOF (Beginning Of File) markers and then reading the data of each item found to its end marker. This will take a long time.
Again, this is immaterial for an encrypted drive. There is an encryption key that is used to cryptographically scramble ALL the data on the drive. Every single bit of data (aside from the key itself) is scrambled, and there's nothing to find.
So the key is whether the encryption key is still on the disk. This key, which is is something like 2048 bytes, must be recovered in its ENTIRETY. If evey one bit is out of place, you're completely hosed. Without the key, it is MATHMATICALLY IMPOSSIBLE to recover the data. When you reformat a disk, it's true that data is not overwritten, but SOME parts of the disk are overwritten, with the file catalog, etc., which maps what files are where. Again, on an encrypted disk, this info is different and not useful. What's key is where the encryption key is stored on the disk, and whether a standard format would erase that location.
Some folks have delved into FileVault 2 technically and published a paper on it if you're curious:
http://eprint.iacr.org/2012/374.pdf
Apple also has a Knowledge Base article on it:
http://support.apple.com/kb/ht4790
What I don't know is whether, given the recovery key (if you stored it with Apple), you can generate the symmetric key that's on-disk and used to encrypt the data. I suspect not.
I really hope you have a backup 😟
I knew the original FileVault only encrypted the user account, and that's what I based my suggestion on. An undelete utility would be able to find and recover that encrypted disk image. I see now that FileVault 2 is nothing like that. So yes, it's pretty much statistically impossible to recover the data.
The Choudary et al. paper is exactly what I was looking for, a very interesting read.
btw: I know that backups are essential. So no loss here.
So, i made the same mistake! Formated an encrypted external drive... Have you managed to recover your files?
No, I didn't even tried it. The answer, William Lloyd gave, satiesfyed me, I am convinced that he is right that there is (almost) no chance at all to get the data back.
Perhaps if you throw enough money at someone.
"Encryption: DriveSavers engineers have been trained and certified by leading encryption vendors, such as GuardianEdge, Utimaco Safeguard, PGP and PointSec, to safely recover file-level and disk-level encrypted data"
Too bad, man... I actually still had a bit of hope of rescuing my files, couse i had try some file recovery softwares like Data Rescue 3 and it was able to recover all my files, great! Expect that they won't open 😐
It says that the file is corrupted, i was hoping that the "corrupted" file was actually encrypted, so i tried to decrypt them with AES Crypt but without success...
I renamed the file from "photo.jpg" to "photo.jpg.aes" and inputted my old password, but it won't even try to decrypt, it throw an error like "wrong file header". As a last and crazy try, i encrypted another file that i had and open the encrypted file in Text Wrangler to see that there was actually a header in the file like "AES Cryput bla bla bla", so i copied this header and pasted in the corrupted file, just to get a different error...
Yeah, i know that the encryptation key is different from the password that i had, and that this key is lost in space, but i'm a crazy fool... 😝
Oh, one more thing, Data Rescue 3 made a crazy, impressive and scary thing, despise of recovering all the file structure, it was also able to recover some photos that was on the encrypted drive, and those photos opened just fine... Apparently it recovered all the high resolution photos (5MB+) that was on the disk and some low resolution photos.... 😕
So... duck! This encrypting system apparently is not safe, ducked up my files and left some files unsecured...
That your header trick didn't work is quite obvious since the hard-disk-encryption is not a per-file-encryption.
I saw nothing when I checked the disk with Data Rescue. Are you sure that the files were on a clean encrypted drive? Or is it possible that Data Rescue found old data from a previously unencrypted state of the HD? When you applied the encrypted volume via a quick repartioning/erasing I assume that the suff you've wound was old data.
nope... the disk was encrypted since brand new.
Actually, the files was in a encrypted image inside the encrypted disk. Double security, beeatch! 😎
Or not so secure, like two minus makes a plus the files that was supposed to be more secure was actually unsecured... 😮
Lucky for me the Russians was unable to pass the sharks with lasers and steal my disk...
Accidently formatted mac os extended (journaled, encrypted): any chance to regain data?
