Hello all,
I wondered whether people were getting more experience of APFS, and working with it when there is a failure, or has been altered. In particular, I am uncertain at this stage whether there is a particular LBA location (or range of LBA) for the keychain for encrypted APFS volumes. In this case I am working on a volume which contains the OS after a High Sierra update from HFS+ to APFS.
The case I have relates to a fault where the user was in disk utility and made some type of mistake, he then also ran commands within terminal. He can't recall which. The end result is that from sector 409,640 there are now 200 sectors filled with "00" data, and a GPT reporting a volume at 409,640 called "Customer".
I have been able to locate NXSB 'magic' blocks later in the disk. The first of these was copied and written back to the first 8 sectors at 409,460. It is now possible for OSX / recovery software to recognise the APFS container. It is possible to access the files of the three volumes which are not encrypted (Preboot, Recovery, VM). The encrypted volume "Macintosh HD" is reported as locked within recovery software and within OSX DiskUtil.
Below is a screenshot showing this with R-Studio:
Attachment:
2018-08-14.png [ 36.9 KiB | Viewed 6182 times ]
Below is the output from OSX at terminal:
Attachment:
DiskUtil APFS.png [ 244.96 KiB | Viewed 6182 times ]
The UUID for the encrypted volume is reported missing from the DiskUtil command line. Attempts to decrypt via the command line fail as a result, even though the passphrase is available.
Within OSX when I attempt to mount the encrypted volume the pop-up box appears asking for the password to be entered. However, it is greyed out and not possible to enter text. The ‘hint’ is also missing. I suspect that the data associated with the keychain is missing/overwritten.
I should also mention that the SSD had been to another data recovery company before getting here. Unfortunately, they are well known in the UK for advertising "No-recovery, no-fee", but then trying to make a large upfront non-refundable fee when the device is received. Consequently, the owner of the disk requested for it to be returned. As a consequence it is not possible to know if any changes have been made to the disk.
Any thoughts?
Best regards,
John
_________________
CDR - Manchester Data Recovery Services
0161 408 4857
http://www.cheadledatarecovery.co.uk/