Trying to recover data from a 256GB MacBook Pro Retina SSD drive. According to the user shortly after installing the El Capitan upgrade the computer froze, and after rebooting it would hang on a gray screen. Supposedly they did not reformat or otherwise fiddle with the drive after that but of course that should be taken with a handful of salt. I have made a clean DD image of the drive and it did not report any bad sectors. However when the image is mounted in R-Studio it detects the EFI System partition, the Recovery Volume, and a 232GB volume but can only detect contents of the recovery volume and reports a GPT tables error 0x103. Scan for lost HFS file system in both R-Studio and UFS Explorer turns up only the recovery volume and a RAW scan for file types finds only two junk files. When the disk image is opened in hex editor the first information that shows up is this:

which goes on and ends with

followed by a gap and then again starts with this

ending here


After that there is another gap and then what appears to be blocks of encrypted data starting and ending at the following offsets with gaps between them:
0000320000 thru 00003FFFC0
0000420000 thru 00004FFFC0
0000520000 thru 00005FFFC0
0000620000 thru 00006FFFC0
0000720000 etc etc
all the way to
3A01020000

thru 3A010FFFC0

followed by whitespace and finally

My initial suspicion is that perhaps following El Capitan update the user was prompted to enable FileVault encryption on the disk and when they did so the computer may have frozen or slowed down to the point that they thought it was frozen, prompting them to force power off which resulted in a corrupt partition table and partially or wholely encrypted drive.

Last item of interest, R-Studio detects 232GB partition and shows the name Macintosh HD partition and appears to show the expected partition offset but under HFS information is only detects a 619.89MB vol size, this also mirrors what Testdisk found when scanning partition. See pic:

Anybody? Other people out there coming across mysterious data loss issues with these retina SSDs?

Text dumps are not useful. I speak hex and expect that most others would prefer this format, too. Without seeing the hex, ISTM that the first screenshots could be 32-bit FATs.

_________________
A backup a day keeps DR away.

HEX DUMP attached of offset 0x00027040 thru 0x00055450

0X001B0E40 thru 0x001DF250

0x00320000 thru 0x003FFFF0

hexdump01 and hexdump02 are identical. They do look like part of a 32-bit FAT. ISTM that the first small 200MB partition (Recovery Volume) is just a FAT32 volume.

_________________
A backup a day keeps DR away.

Those are probably the EFI System partition which is apparently FAT-like: https://en.wikipedia.org/wiki/EFI_system_partition

Here's another partial dump of the next chunk that shows up

I'm assuming encryption since running RAW file scans in R-Studio, UFS Explorer and PhotoRec turned up almost nothing (and OS upgrade does sometimes ask to enable File Vault) but I supposed some sort of controller error or logic board problem could have just scrambled the data so badly that it is completely unrecognizable.

I have no experience with HFS/HFS+, but searching for "Mac" and "619.89" turns up quite a few discussions.

For example ...

http://webcache.googleusercontent.com/s ... p?id=21435


Therefore, ISTM that you should have 3 partitions -- a 200MiB EFI FAT32 partition, a 233GiB "Macintosh HD" partition, and a 619.89 MiB Recovery partition.

I would start by examining sectors 0,1,2 in hex mode.

_________________
A backup a day keeps DR away.