Decrypt files recovered from encrypted external hard drive











up vote
-1
down vote

favorite
1












I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/



If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:




"The document “File.rtf” could not be opened."




I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:




|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC
[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>?




The command:



file -  /Users/Cortana/Desktop/File.rtf


Returns:




application/octet-stream; charset=binary




The original disk was encrypted using FileVault. I do know the original password.



Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.



Thank you,
Danny










share|improve this question
























  • How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
    – LPChip
    Nov 28 at 11:57












  • The external hard drive was encrypted using FireVault. This was the backup.
    – Danny Bravo
    Nov 28 at 12:14










  • Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
    – Xen2050
    Nov 28 at 12:41






  • 1




    FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
    – Tetsujin
    Dec 2 at 10:22










  • Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
    – Danny Bravo
    Dec 2 at 12:54

















up vote
-1
down vote

favorite
1












I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/



If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:




"The document “File.rtf” could not be opened."




I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:




|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC
[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>?




The command:



file -  /Users/Cortana/Desktop/File.rtf


Returns:




application/octet-stream; charset=binary




The original disk was encrypted using FileVault. I do know the original password.



Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.



Thank you,
Danny










share|improve this question
























  • How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
    – LPChip
    Nov 28 at 11:57












  • The external hard drive was encrypted using FireVault. This was the backup.
    – Danny Bravo
    Nov 28 at 12:14










  • Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
    – Xen2050
    Nov 28 at 12:41






  • 1




    FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
    – Tetsujin
    Dec 2 at 10:22










  • Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
    – Danny Bravo
    Dec 2 at 12:54















up vote
-1
down vote

favorite
1









up vote
-1
down vote

favorite
1






1





I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/



If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:




"The document “File.rtf” could not be opened."




I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:




|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC
[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>?




The command:



file -  /Users/Cortana/Desktop/File.rtf


Returns:




application/octet-stream; charset=binary




The original disk was encrypted using FileVault. I do know the original password.



Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.



Thank you,
Danny










share|improve this question















I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/



If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:




"The document “File.rtf” could not be opened."




I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:




|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC
[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>?




The command:



file -  /Users/Cortana/Desktop/File.rtf


Returns:




application/octet-stream; charset=binary




The original disk was encrypted using FileVault. I do know the original password.



Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.



Thank you,
Danny







mac external-hard-drive encryption data-recovery decryption






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 28 at 12:14

























asked Nov 28 at 11:13









Danny Bravo

992




992












  • How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
    – LPChip
    Nov 28 at 11:57












  • The external hard drive was encrypted using FireVault. This was the backup.
    – Danny Bravo
    Nov 28 at 12:14










  • Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
    – Xen2050
    Nov 28 at 12:41






  • 1




    FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
    – Tetsujin
    Dec 2 at 10:22










  • Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
    – Danny Bravo
    Dec 2 at 12:54




















  • How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
    – LPChip
    Nov 28 at 11:57












  • The external hard drive was encrypted using FireVault. This was the backup.
    – Danny Bravo
    Nov 28 at 12:14










  • Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
    – Xen2050
    Nov 28 at 12:41






  • 1




    FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
    – Tetsujin
    Dec 2 at 10:22










  • Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
    – Danny Bravo
    Dec 2 at 12:54


















How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57






How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57














The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14




The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14












Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41




Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41




1




1




FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22




FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22












Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54






Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54

















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379057%2fdecrypt-files-recovered-from-encrypted-external-hard-drive%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379057%2fdecrypt-files-recovered-from-encrypted-external-hard-drive%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Aardman Animations

Are they similar matrix