Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Anyway to undo/recreate 'diskutil cs delete' without losing the data? Deleted my ColdStorage group

C

crewxp2

macrumors newbie
Original poster
Aug 16, 2019
5
0
I screwed up. My Disk Adapter broke in my macbook pro, so I hooked it up to a usb adapter. It still didnt boot into the OS. I was trying to recover data from it and it kept asking for my password. I didnt think I set one, I just logged in using my apple id.

Without knowing what I was doing...

I typed: diskutil cs delete Macintosh HD

in Terminal hoping it that it would let me access the data by plugging it into Windows, but I just made it worse. Now Internet Recovery doesnt see my time machine backups on my drive, allow me to reinstall the OS, or unlock the drive using a password.

Worst part is I remember the password that it might be. Is there anyway to undo diskutil cs delete, without deleting the data on the hard drive using the UIDs I found in my logs?

When I plug it into Windows, it shows RAW instead of what it showed before
AurV4.png

This is what diskutil shows now:

5uedDiX.jpg


Logs from diskpart, I think this is a scan that shows UIDs (if thats important) before I ran that command:
vgNIN43.jpg


2qnsp2J.jpg
 
"Without knowing what I was doing...
I typed: diskutil cs delete Macintosh HD"

It looks like you wiped it.
It's gone.

Your options now:
- restore from your backup
- data recovery software
- data recovery firm (VERY expensive -- thousands)
 
  • Like
Reactions: chabig
Fishrrman said:
"Without knowing what I was doing...
I typed: diskutil cs delete Macintosh HD"

It looks like you wiped it.
It's gone.

Your options now:
- restore from your backup
- data recovery software
- data recovery firm (VERY expensive -- thousands)
Click to expand...

I'd like to think it's not as simple as just give up.... Or outsource it. What happened to teaching others how things work on a technical level.

There were time machine backups, as said in the first post, but it's on the same drive, before the cold storage was removed. Nothing was touched since.

I'd like to also think there would be a way to recreate the cold storage or manually read the data partition. The entire drive wasn't encrypted, just the hfs partition, which doesn't look touched.

Isnt there a way
 
crewxp2 said:
There were time machine backups, as said in the first post, but it's on the same drive
Click to expand...
Then you don’t have a backup. I stand with Fishrrman...your data is gone. This is not about “teaching others to work on a technical level. It’s toast. The lessons to be learned are, 1) be careful in terminal, and 2) a ‘backup’ on the same device isn’t really a backup.
 
  • Like
Reactions: Riwam and DeltaMac
In your first post, you noted that you were asked for a password when you were just trying to recover data from your volume. That could indicate that your volume was encrypted (with FileVault). macOS will let you do that as a first step.
You can't get to the data on your FileVault volume without providing the password to unlock.
But, you can delete that volume, even when it is locked.
AND, the deleted, encrypted data is still encrypted, and quite secure - not recoverable.
The rest of your lesson of the day: Don't use the drive that you boot from to store your backups. That's, unfortunately, asking for a bad result.
 
  • Like
Reactions: Riwam and chabig
chabig said:
Then you don’t have a backup. I stand with Fishrrman...your data is gone. This is not about “teaching others to work on a technical level. It’s toast. The lessons to be learned are, 1) be careful in terminal, and 2) a ‘backup’ on the same device isn’t really a backup.
Click to expand...

Being a ELECTRICAL engineer, my brain doesn't really work like that. Lessons already learned, thats easy. Now what to do from here is just as important.

Realistically, can you explain? I dont understand this. From my understanding, a Physical Volume was created using ColdStorage. This in turned created a single Logical Volume Group with 3 partitions under it. One was an encrypted HFS, the other was a EFI partition, the third was either a recovery partition or timemachine partition (cant remember, was setup 7 years ago).

So nothing was erased, only the beginning bytes of the drive that details the initial coldstorage volume group.

Theoretically it would be possible to re-create the coldstorage volume group, or if not, access the data on the HFS partition knowing the keyphrase.

Can someone who knows a bit more computer science explain why or why not this theory would work?
[doublepost=1566066541][/doublepost]
DeltaMac said:
In your first post, you noted that you were asked for a password when you were just trying to recover data from your volume. That could indicate that your volume was encrypted (with FileVault). macOS will let you do that as a first step.
You can't get to the data on your FileVault volume without providing the password to unlock.
But, you can delete that volume, even when it is locked.
AND, the deleted, encrypted data is still encrypted, and quite secure - not recoverable.
The rest of your lesson of the day: Don't use the drive that you boot from to store your backups. That's, unfortunately, asking for a bad result.
Click to expand...

Thanks for the analysis Delta.

From my understanding, the entire volume group wasnt encrypted, only the HFS Partition. Would this change anything?

And would this make sense in a theoretical approach?
  1. Hook a completely same hard drive up to the mac with the same model number,
  2. Setup the same version of MacOS
  3. Use the same encryption password as the first drive did.
  4. Somehow replicate the ColdStorage information byte for byte to the old drive to restore functionality?
 
Last edited:
I’m an EE too. Here is how I see this...the bits that comprise your data are intact on the drive, but the metadata that describes the arrangement of those bits has been destroyed. Thus, the data structures cannot be recovered from the pieces that remain.
 
If the boot volume (your HFS extended partition) was, in fact encrypted, and you deleted it while still encrypted, then the existing data is securely --- gone. Making a new core storage volume, encrypting that using the same password, is meaningless at this point. The old data doesn't magically appear, simply because you created a new partition.
And, the process of making a new partition will make the old data even more impractical to recover, with another degree of erasure added in.
There's really only one way to recover data that is on an encrypted, then erased volume. That method is to recover that data from your backup, that you made previously on another drive.
As chabig said above - your data is toast. it's gone.
 
  • Like
Reactions: chabig
Going to chime in and echo what others have said: data is gone and no going back.

Looks like you had FileVault turned on, so, you have a couple of problems once you deleted and created a new CoreStorage volume. First, there's a randomly generated encryption key buried within the old CoreStorage header that is used to decrypt the password file that is buried within the Recovery partition. That's where the initial password check is coming from after boot. If you enter the correct password, that will decrypt another encryption key which will decrypt the true randomly generated encryption key for the drive.

You've lost the password encryption key, so can't get to the real encryption key, no matter if you remember the password.

Page 11 if you want to see this schematically.

https://www.cl.cam.ac.uk/~osc22/docs/cl_fv2_presentation_2012.pdf
 
NoBoMac said:
Going to chime in and echo what others have said: data is gone and no going back.

Looks like you had FileVault turned on, so, you have a couple of problems once you deleted and created a new CoreStorage volume. First, there's a randomly generated encryption key buried within the old CoreStorage header that is used to decrypt the password file that is buried within the Recovery partition. That's where the initial password check is coming from after boot. If you enter the correct password, that will decrypt another encryption key which will decrypt the true randomly generated encryption key for the drive.

You've lost the password encryption key, so can't get to the real encryption key, no matter if you remember the password.

Page 11 if you want to see this schematically.

https://www.cl.cam.ac.uk/~osc22/docs/cl_fv2_presentation_2012.pdf
Click to expand...
that it extremely helpful. I'm going to read it entirely. Thanks NoBoMac.

I don't think it matters, but I never created a new coldstorage volume after deleting it.
 
crewxp2 said:
I don't think it matters, but I never created a new coldstorage volume after deleting it.
Click to expand...

My bad. Thought I saw a "diskutil cs create" command, but just noticed that that failed and you went straight to "revert".
 
NoBoMac said:
Going to chime in and echo what others have said: data is gone and no going back.

Looks like you had FileVault turned on, so, you have a couple of problems once you deleted and created a new CoreStorage volume. First, there's a randomly generated encryption key buried within the old CoreStorage header that is used to decrypt the password file that is buried within the Recovery partition. That's where the initial password check is coming from after boot. If you enter the correct password, that will decrypt another encryption key which will decrypt the true randomly generated encryption key for the drive.

You've lost the password encryption key, so can't get to the real encryption key, no matter if you remember the password.

Page 11 if you want to see this schematically.

https://www.cl.cam.ac.uk/~osc22/docs/cl_fv2_presentation_2012.pdf
Click to expand...

That’s a great article on FileVault2 for HFS. I was going to recommend it as well, but it seems you beat me to it!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back