Decrypt files recovered from encrypted external hard drive
up vote
-1
down vote
favorite
I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/
If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:
"The document “File.rtf” could not be opened."
I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:
|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>??Ǘ
The command:
file - /Users/Cortana/Desktop/File.rtf
Returns:
application/octet-stream; charset=binary
The original disk was encrypted using FileVault. I do know the original password.
Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.
Thank you,
Danny
mac external-hard-drive encryption data-recovery decryption
add a comment |
up vote
-1
down vote
favorite
I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/
If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:
"The document “File.rtf” could not be opened."
I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:
|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>??Ǘ
The command:
file - /Users/Cortana/Desktop/File.rtf
Returns:
application/octet-stream; charset=binary
The original disk was encrypted using FileVault. I do know the original password.
Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.
Thank you,
Danny
mac external-hard-drive encryption data-recovery decryption
How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57
The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14
Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41
1
FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22
Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54
add a comment |
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/
If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:
"The document “File.rtf” could not be opened."
I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:
|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>??Ǘ
The command:
file - /Users/Cortana/Desktop/File.rtf
Returns:
application/octet-stream; charset=binary
The original disk was encrypted using FileVault. I do know the original password.
Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.
Thank you,
Danny
mac external-hard-drive encryption data-recovery decryption
I am trying to recover the data from one of the external hard drives of my company. I ended up using DiskDrill to extract all the files into a new, non-encrypted hard drive. Unfortunately I made the mistake of erasing the original hard drive before properly checking the exported data... :/
If I look at the recovered data, all the file structures and file sizes seem correct. But if I try to open any file I get a system error saying:
"The document “File.rtf” could not be opened."
I used cat to check the content of the file, and from the outcome it looks to me like it's still encrypted:
|?!?z?n;?AԒ??Ћ???f??Y?-?bA?-??ۚw?5?vc?D???yr????l?&yg?????U#
????F?????l??
??ٔ=??S?????#t????v:??#?˰wDZ$??y>?n??y??C?j??,???WI?L?[?a??CC?
P?U?>K?l?Ե???????OH?[Ẉ[Y?'^k?*?mDћ)?,0?Ի;
??^?dW?|?`??=?c6&-~??YT+3w?4d?'?F@???D???G(?$??>??+?҃?6?t????p?M?wC[?:?$d1?{?Ϊ?.???~KW?r??Q?6??
o@???u???
?B|?[[??>/%???$??[;?z?h?!???O??dn??;?"?GZ?v?{W?B???[???P?d?!????d??Q?@?mG??/?|?x?_???H%)?v?Z??$?]????F??>?"????!U?rFl???
?GB2?W0Iy??]??|x??]X??aN[??????WJ??????l
B??噡g?ہ'I???^}Yk>??Ǘ
The command:
file - /Users/Cortana/Desktop/File.rtf
Returns:
application/octet-stream; charset=binary
The original disk was encrypted using FileVault. I do know the original password.
Is there any command I can run in terminal (or anything else really) that I can do to recover my data. I'm not an expert at unix so please explain it to me like I'm 5.
Thank you,
Danny
mac external-hard-drive encryption data-recovery decryption
mac external-hard-drive encryption data-recovery decryption
edited Nov 28 at 12:14
asked Nov 28 at 11:13
Danny Bravo
992
992
How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57
The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14
Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41
1
FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22
Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54
add a comment |
How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57
The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14
Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41
1
FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22
Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54
How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57
How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57
The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14
The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14
Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41
Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41
1
1
FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22
FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22
Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54
Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379057%2fdecrypt-files-recovered-from-encrypted-external-hard-drive%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
How was the disk encrypted? Also, do note that the entire purpose of encryption is to not be able to break the encryption, so the answer is most likely going to be: restore from backups. You made backups, right?
– LPChip
Nov 28 at 11:57
The external hard drive was encrypted using FireVault. This was the backup.
– Danny Bravo
Nov 28 at 12:14
Does FileVault (FireVault?) have a recovery key / file you have a backup of? If it's anything like gpg or luks of ecryptfs, the passphrase only encrypts the "real" key
– Xen2050
Nov 28 at 12:41
1
FileVault is whole disk encryption. I'm surprised DiskDrill even found filenames; I'd be more surprised if the data was recoverable, that rather goes against what whole disk encryption is about. If the keys are gone, so is the data. The keys were on the original drive.
– Tetsujin
Dec 2 at 10:22
Thanks @Tetsujin. DiskDrill asked me for a password to access the drive contents. It was able to discover the entire file system. I then started the recovery procedure and left it overnight. Exploring the files I realised it was actually able to recover the files that were created after a specific date, everything before that date seems to be encrypted... or possibly corrupted?
– Danny Bravo
Dec 2 at 12:54