FileVault 2 Data Recovery Case Study: Macbook Pro

This client brought their hard drive to us after being met with the “Gray Screen of Death.” The failed Hitachi hard drive pulled from their Macbook Pro was fully encrypted. Encryption can greatly complicate the file recovery process. Our FileVault 2 data recovery efforts required lengthy procedures in order to get the client’s data back to them.

Gray Screen of Death
The gray prohibitory sign seen on the client’s Gray Screen of Death. This indicated that the hard drive had failed.

Data Recovery Case Study: Video File Recovery from FileVault 2 Encrypted Macbook Hard Drive
Drive Brand: Hitachi
Drive Capacity: 500 GB
Model Number: HTS547550A9E384
Operating System: Macintosh
Situation: Mac Gray Screen of Death. Data could not be retrieved from hard drive by local repair shop
Type of Data Recovered: Photos, Videos, Documents
Binary Read: 100%
Gillware Data Recovery Case Rating: 10

The client in this data recovery case had happily used their Macbook Pro laptop for three and a half years without incident. One day, they turned on the laptop only to be greeted with the Gray Screen of Death. This error indicated that the Mac was unable to find a valid System Folder.

Gray Screen of Death
The question mark folder icon commonly seen on the “Gray Screen of Death”.

The client took their Macbook to their local Apple store and then to a local computer repair shop. They were eventually directed to us to recover their family photos, home videos, and Microsoft Word documents.

At first glance, something about the partitioning scheme might have struck a data recovery neophyte as bizarre. There were only two recognizable partitions on the 500 gigabyte Hitachi hard drive. There was one 200 megabyte EFI partition, and an HFS+ filesystem around 620 megabytes in size.

It seemed that this drive was only using 820 megabytes out of its roughly 464 gigabytes of usable capacity. That was absurd. This oddity did not mystify our data recovery technicians, though. Cases like these show up fairly often. The client’s hard drive had been encrypted using Apple’s FileVault 2 encryption tool. This made their main data partition invisible.

FileVault 2 Data Recovery
Top: The two partitions initially visible prior to decryption. Bottom: The user’s main partition, after decryption. It took a lot of work to get from the top to the bottom in this FileVault 2 data recovery case.

Apple developed its File Vault encryption feature in 2003. File Vault secures the contents of the user’s Home folder on-the-fly. That means data accessed from and written to the encrypted area is encrypted and decrypted in real-time as it is used. A few years later, FileVault 2 was released. FileVault 2 encrypts the entire system partition on the user’s hard drive instead of just the user’s Home folder.

Outside of the user’s computer and without the proper password, the main data partition is completely invisible. Only the smaller EFI and recovery partitions can be seen. This is similar to how other full-disk encryption software tools such as BitLocker and TrueCrypt work. It’s very different from Western Digital’s hardware-level SmartWare encryption. However, it presents many similar challenges to data recovery.

The FileVault 2 Data Recovery Process

It can be difficult to recover data from an encrypted hard drive. Our engineers have no way of pinpointing critical areas of the drive for targeted file recovery. The hard drive needs to be imaged before it can be decrypted. But our engineers can’t see what has or hasn’t been recovered until after the drive has been decrypted. It’s a data recovery catch-22. This is why encryption can make data recovery such a thorny issue. Fortunately, there were no severe problems with the client’s Hitachi hard drive. We were able to get a 100% image of the drive’s binary sectors.

The client’s hard drive had been fully imaged onto one of our internally-used customer data drives. To perform a File Vault 2 recovery for our client, a long, multi-step process followed. Even the most straightforward cases of file recovery from encrypted hard drives involve these lengthy steps. The full encrypted disk image was then turned over to our logical data recovery engineer Cody to be decrypted.

Decrypting the client’s hard drive required the drive to be connected to one of our Mac machines and decrypted. Of course, this required the client to provide us with their password. After all, encryption wouldn’t do much good for anyone if it could be circumvented so easily.

After decryption, Cody was left with yet another image of a hard drive. But Cody wasn’t done with this FileVault 2 data recovery case just yet. There was still more work to do. The decrypted disk image had to be cloned to its own hard drive. The next step in the FileVault 2 data recovery process was to analyze the image with HOMBRE just as if it were the client’s drive itself. This would put the client’s recovered data into usable form.

The FileVault 2 login screen
The FileVault screen appears upon booting. (source)

Cody was able to use HOMBRE to read the client’s imaged and decrypted hard drive like an open book. After such a lengthy decryption process, finding the drive’s partition information and file definitions seemed to take no time at all. At the end of the long encrypted data imaging procedure was a comparatively short file recovery process. We were able to recover all of the user’s files. We ended up rating this FileVault 2 data recovery case a 10 on our ten-point scale.

Will Ascenzo
Will Ascenzo

Will is the lead blogger, copywriter, and copy editor for Gillware Data Recovery and Digital Forensics, and a staunch advocate against the abuse of innocent semicolons.

Articles: 213