Apple FileVault lost partition data recovery. If you’re reading this topic, it’s likely that you’ve been trying for hours and hours to find a way to restore a lost FileVault encrypted partition without success.
Let me save you some time…
There is no program that can restore a lost FileVault partition which is encrypted!
Let me explain why.
Understanding What an Apple FileVault Partition Is
A partition table, if you’re not familiar with the term, is a simple way that a hard drive is divided up into logical volumes. Sometimes a user will want to have two separate volumes to store different types of data, or sometimes the operating system will itself want to allocate a small hidden area (hidden partition) where it can store data without risk of interference from the end user. A simple way of thinking of a partition is that it’s like a room divider (also called a partition) virtually on a single storage device.
The partition table is how it keeps track of this dividing, and is generally written right at the beginning of a hard drive or other storage device. It usually occupies either just the first sector or the first 33 sectors depending on the table type. A backup copy is usually stored at the end of the drive.
There are a few possible ways that a partition table can be lost or damaged. It could be a simple matter of bad sectors developing right at the beginning of the drive preventing reading. However, often if this is the case the one at the end will be read and you may still be able to mount the partition. Another more common scenario is when a user tries to modify the partitioning structure and something goes wrong such as a software malfunction, unexpected power outage, etc. while performing changes. It can even be caused by a virus attack, which we are seeing more and more of.
The real challenge with a lost Mac FileVault partition, has to do with encryption.
Need Professional Help To Restore Your FileVault Partition?
The Challenge of Apple FileVault Lost Partition Recovery
There are numerous partition recovery and data recovery programs that normally can restore a lost partition by analyzing a drive. However, none of them will work if your partition is Apple FileVault encrypted. Here’s why:
Normal, non-encrypted, partitions will generally have an identifiable starting signature at the beginning. As you can see in this picture here, a normal Windows NTFS file system that isn’t encrypted has a bit of code which includes the letters “NTFS” in the signature.
Partition recovery software always relies on finding these starting signatures to identify the start of a lost partition.
Since Apple FileVault is an entire partition which is encrypted, even this first sectors is scrambled with a random key. Since the partition encryption key is randomly generated, it’s never the same and meets no standard mold.
How a Lost Apple FileVault Partition Can Be Recovered
Since the data is encrypted, normal data recovery software is going to be useless. Even R-Studio, which is able to decrypt and recover from FileVault encrypted volumes, requires the partition table to be intact so it knows where to look for the DEK (disk encryption key) and knows to prompt for the user password.
So how can it be done? The simple answer is…manually!
Here at Data Medics, we’ve successfully recovered several lost Apple FileVault partitions by manually rebuilding the partition tables. Yes, we actually type at a keyboard in a hex editor like you see in the image above and write a new partition table. Our basic process is as follows:
- First, we carefully analyze the data in a hex editor to determine the user partition(s) starting and ending locations. Since they have no clear opening signature, this is usually done by a process of elimination. Before and after a FileVault user partition there are usually small system partitions which are not encrypted. By comparing where these system partitions typically are on a healthy system in comparison to the user partition we can often determine the approximate start/end sectors.
- Next, we must manually re-write the GPT partition table and insert the appropriate values we determined from our analysis in step one. Typically we’ll use one of our collected tables from prior cases that’s similar in layout as a template, then just make the necessary adjustments to the values.
- GPT partition tables (what Apple uses) include two checksum values which are calculated using all the data contained in the code of the table. So if even a single value is changed, the checksum must be manually recalculated and updated. This allows MacOS to attempt mounting the partition, since it’ll recognize the table as valid. Otherwise, it’ll just be rejected and refuse to mount.
- Volume is mounted. If this fails, it’s back to step 1 to see where we went wrong and try again. Sometimes it just comes down to a few days of trial an error before we get it right. If the volume successfully mounts, we input the user password and we’re ready to copy data for our customer.
In some cases, there may be file system corruption that still prevents mounting even after we get the table right. This is especially true if the original drive was damaged, had bad sectors, etc. and we couldn’t get a 100% read of the data. In those cases, data recovery software we have here can do the rest.