Encrypted drive recovery: a weird one?

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
OK, so my external hard drive, which is encrypted as it contains back up financial documents, became screwed up.
Trying to repair in Disk Utility gives the message '“problems were found with the partition map which might prevent booting.”'
OK, so I don't want to reformat the disk just set so I plug the external hard drive into an old Mac running Lion on which I have a copy of Data Rescue 3 I bought years ago. Data Rescue 3 can see the drive, though the Mac itself reports it as unreadable. So I run Deep Scan on the Drive. It's a 2TB drive so going to take ages so I pause the process to see if Data Rescue 3 has found anything. It shows my complete directory and I am able to begin pulling stuff off the encrypted drive. I repeat: I am able to start pulling documents off the encrypted drive. HOW CAN THIS BE POSSIBLE? What's the point of encrypting a drive if someone can just go and plug it into another Mac, run Data Rescue on it and see your Directory, and possibly pull all the data off it? I haven't tried pulling the data off yet. Maybe it will be encrypted and unreadable. But I was unable to unlock the encrypted drive and it wasn't seen by the Finder.
Any ideas?
 

ElitistWhiner

macrumors newbie
Jul 30, 2020
7
6
NEVER encrypt. Especially your drive. Encryption standards change. When they do be-warned; OSen change to new standards. One day you're encrypted-safe, the next, your storage backups are bricked. There is no way back.
 

Fishrrman

macrumors Core
Feb 20, 2009
19,661
6,848
Don't worry about encryption.
If Data Rescue sees the data and can recover it, then... RECOVER IT WHILE YOU CAN!

Get what you can from the old disk onto a fresh drive.
MAKE SURE THE NEW DRIVE IS NOT USING ENCRYPTION!
(I agree 100% with Elitist above)

Hmmm.... you won't really know if DR "got the files" until the recovery is done and you try opening a few of them.
Also... be aware that file recovery can result in lost filenames and folder hierarchies.

I do not use encryption on ANY drive with one exception:
I keep a backup in my car, and I do encrypt one partition with bank records, etc.
But... if that partition failed, it's no big deal to just erase it and start over, as it's only a backup.

But for your primary storage -- encryption might just make it impossible to access the data on the drive, in a moment when you need it badly.
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
Thanks for sticking with me!

I'm now using Data Rescue to make a clone of the encrypted drive. Then I can see what it has pulled off. This might be RAW data so will then have to do a deep scan on that new drive. My main point really is that what's the point of encrypting a drive if someone can steal it and then just get o the dat anyway using Data Rescue?
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
Unlocking the drive has effectively decrypted it on that particular computer.
Thanks, but no. I am unable to unlock the drive as when I connect it to either Mac I don't get a splash screen asking for the password to be entered as I would normally see. Rather, you can see the drive in Disk Utility but the Volume is greyed out. If you select this greyed out Volume nothing happens. What should happen is that if you select this greyed out Volume and click 'Mount' then the usual splash screen will appear and you can enter the password. That's why it\s weird...
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
I just replicated the behaviour using a 32GB thumbdrive. Did right-click encryption on on Mac. Waited about 20 mins. Put the theumbdrive in the Mac with Data Rescue on it. Splash screen came up asking for password because now the thumbdrive was partially encrypted. I pressed cancely. In Disk Utility disk is listed but Volume is greyed out. Launch Drive Genius, and it sees and Deep Scans the drive. Go to recover the data and splash screen comes up asking for password. Press cancel a second time and Drive Genius carries on and recovers the data to a folder on my desktop.
So my theory is that you can recover day=ta from a PARTIALLY encrypted drive using Data Rescue. Perhaps the 2TB disc was also partially encrypted as I started the encryption and never bothered checking back in Terminal to see how far things had advanced. I'm now going to fully encrypt the thumbdrive and see what happens...
 
  • Like
Reactions: planteater

planteater

macrumors regular
Feb 11, 2020
110
115
I just replicated the behaviour using a 32GB thumbdrive. Did right-click encryption on on Mac. Waited about 20 mins. Put the theumbdrive in the Mac with Data Rescue on it. Splash screen came up asking for password because now the thumbdrive was partially encrypted. I pressed cancely. In Disk Utility disk is listed but Volume is greyed out. Launch Drive Genius, and it sees and Deep Scans the drive. Go to recover the data and splash screen comes up asking for password. Press cancel a second time and Drive Genius carries on and recovers the data to a folder on my desktop.
So my theory is that you can recover day=ta from a PARTIALLY encrypted drive using Data Rescue. Perhaps the 2TB disc was also partially encrypted as I started the encryption and never bothered checking back in Terminal to see how far things had advanced. I'm now going to fully encrypt the thumbdrive and see what happens...
Good analysis. I'm interested in your findings.
 
  • Like
Reactions: poorcody

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
OK, after many moons, Data Rescue has recovered 1.8TB from my 2TB drive. While it showed a complete directory of the 'encrypted' drive, files recovered from this part of the splash screen (Recovered files if I remember correctly) were unreadable on recovery, though you could see and read the file names. The data recovered from the other section of the splash screen (Reconstructed files) totalled 1.8TB and though the files had generic, sequential names, they followed the directory and its different paths so it was easy to put them back into order. And you could read everything the documents contained. I am assuming that this 1.8Tb was still to be encrypted and that the drive was only partially encrypted. I am still waiting for my Mac to fully encrypt a thumb drive. I will then see if Data Rescue can access it when I pretend I don't know the password...
 
Last edited:

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
OK, I'm just putting this out there for those who are interested. I completely encrypted a 32GB thumbdrive by right-clicking on it and selecting 'Encrypt'. The thumbdrive had several documents on it: a PDF, a text file and one picture. I then ejected it and took it to my other older Mac and plugged it in. When it asked for the password (it's not stored in the keychain) I clicked cancel so that the Disk could be seen in Disk Utility bit the Volume was greyed out. I then ran Data Rescue on it. After about 40 mins the opportunity to recover data was presented and when clicking proceed I was shown the directory and all the data on the disk. Aha, I thought. I bet if I recover the data to my desktop it will be unreadable as it has been encrypted. No. All the files could be seen and read, whether PDf, pic or text document. What's the point of encrypting external drives if anybody with a copy of Data Rescue can access your data should you loase the disc while travelling or leave it on a train. Be great if someone has the time to have a go themselves as I would like to think I am missing something here
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
SOLVED! I just spoke to the team at Data Rescue via webchat. The Data Rescue software reads the RAW data on the disc and uses it to re-assemble the directory and files whether the volume is mounted or not. Encrypting the disk using Mac OSX does not encrypt this RAW data. Well, that's what they said, anyway...
 

chrfr

macrumors G3
Jul 11, 2009
9,704
3,561
SOLVED! I just spoke to the team at Data Rescue via webchat. The Data Rescue software reads the RAW data on the disc and uses it to re-assemble the directory and files whether the volume is mounted or not. Encrypting the disk using Mac OSX does not encrypt this RAW data. Well, that's what they said, anyway...
No, that makes no sense. There’s only 1 reasonable scenario here: that the disk hasn’t finished encrypting.
The encrypted data will be gibberish on the disk without the decryption key, even for a tool like Data Rescue.
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
The encrypted data will be gibberish on the disk without the decryption key
But it isn't. I just tried it. Also, the article you are referring to is talking about Filevault encryption on a Mac's internal drive which takes a password you've decided upon to unlock the encryption key that protects the startup volume. Encrypting an external thumbdrive is different in that the encryption key for that is derived from the password you set directly for the drive. I would like to think you were right ( I was of the same belief myself), but there are are other Data Recovery tools that promise to be able to recover data from an encrypted external hard drive or thumb drive.

Stellar Phoenix is one: 'Some users choose to encrypt external storage media such as a hard drive or thumb drive to prevent access. Maybe the drive was corrupted after a power outage or is simply getting old. Another potential scenario would be losing the drive after a new OS install, OS upgrade, or a reformat. To retrieve the data, you will need a way to find the information on the physical drive, as in most instances the operating system will not be able to do so.
Stellar Phoenix Mac Data Recovery can be used on your computer to recover Mac files from encrypted hard drive.'
 

chrfr

macrumors G3
Jul 11, 2009
9,704
3,561
But it isn't. I just tried it. Also, the article you are referring to is talking about Filevault encryption on a Mac's internal drive which takes a password you've decided upon to unlock the encryption key that protects the startup volume. Encrypting an external thumbdrive is different in that the encryption key for that is derived from the password you set directly for the drive. I would like to think you were right ( I was of the same belief myself), but there are are other Data Recovery tools that promise to be able to recover data from an encrypted external hard drive or thumb drive.

Stellar Phoenix is one: 'Some users choose to encrypt external storage media such as a hard drive or thumb drive to prevent access. Maybe the drive was corrupted after a power outage or is simply getting old. Another potential scenario would be losing the drive after a new OS install, OS upgrade, or a reformat. To retrieve the data, you will need a way to find the information on the physical drive, as in most instances the operating system will not be able to do so.
Stellar Phoenix Mac Data Recovery can be used on your computer to recover Mac files from encrypted hard drive.'
You’ll need the FileVault password to recover anything useful, if the disk is actually fully encrypted. A 2TB disk would take several days to complete encryption.
These recovery tools are not magically bypassing FileVault.
Step 4 Provide the password to unlock the drive. Also, if you are scanning your startup disk in macOS Catalina, Mojave, or High Sierra, you must disable system integrity protection.
 
Last edited:
  • Like
Reactions: chabig

AppleSmack

macrumors regular
Jun 30, 2010
186
54
SOLVED! I just spoke to the team at Data Rescue via webchat. The Data Rescue software reads the RAW data on the disc and uses it to re-assemble the directory and files whether the volume is mounted or not. Encrypting the disk using Mac OSX does not encrypt this RAW data. Well, that's what they said, anyway...
That sounds like a good explanation.

Filevault reads the data, encrypts it, writes it to disk. However, wear levelling means the drive doesn't necessarily overwrite the original data. Hence, reading the raw disk image allows recovery software to find the unencrypted data still there. This is all normal behaviour, though far from ideal because of the false sense of security.

To avoid this, you need to start with an empty drive, or one that you've formatted with the option to overwrite the disk at least once.

Use disk utility to erase the drive, and choose a format with encryption. This is the key stage: you now start with an empty encrypted drive that you then put your data on, NOT by encrypting a drive containing unencrypted data.

Still, thank you for running your tests, because it really shows the importance of encrypting at the start, and not after you've started filling the drive.
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
This is the key stage
Great info. I'll reformat and zero out the data on the thumbdive twice and then put a single PDF on it and repeat the excercise...
 

chabig

macrumors 604
Sep 6, 2002
6,768
3,978
Filevault reads the data, encrypts it, writes it to disk. However, wear levelling means the drive doesn't necessarily overwrite the original data.
FileVault encrypts every bit on the drive. Everything (even the free space) is overwritten.

OK, so my external hard drive, which is encrypted...
I might have missed it, but I don't think you ever specifically said you encrypted with FileVault. Did you use a third-party encryption?

Stellar Phoenix Mac Data Recovery can be used on your computer to recover Mac files from encrypted hard drive.
I think they are playing fast and loose with terminology. What they really mean is that if you provide your encryption key, they can recover files.

FileVault encrypts every bit on the drive. Everything (even the free space) is overwritten.
Thanks for the correction!

Thanks for the correction!
I wish I could have put a reference, but I couldn't find one. But because it's "full disk encryption" it has to work that way. You can always prove this to yourself...encrypting a multi-TB empty drive will take days.
 

Poncho

macrumors 6502
Original poster
Jun 15, 2007
377
156
Holland
I might have missed it, but I don't think you ever specifically said you encrypted with FileVault. Did you use a third-party encryption?
I encrypted the drive by inserting it into a Mac running Sierra then, after right clicking on the image that appeared on the desk top chose 'Encrypt "name if drive"'. I didn't use third-party software but that built into the Mac.


By the way, it took 17 hours for Data Rescue to search the whole drive. However, even if you stop the process after 10 mins you can see what it has begun to have found and it will show you the directory.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.