Case Study
Stellar® recovers 400GB data from a FileVault encrypted and erased MacBook® SSD
The risk of permanent data loss hampered productivity and posed a significant threat to business operations.
Business Challenge
This case outlines recovery of 400 GB data lost from a MacBook® while it was being prepared for macOS High Sierra installation.
As the standard procedure, the MacBook® SSD startup volume needed to be erased and reformatted in APFS so as to prepare it
for fresh installation of macOS High Sierra. However, while attempting to erase the volume, the user received an error message —
“Could not create a Preboot Volume for APFS to install.”
The user then rebooted the MacBook® in Recovery Mode and used Disk Utility to erase the startup (and only) volume, resulting in loss of 400 GB data stored on the 512 GB SSD.
Unfortunately, there was no backup of this data, and further, the SSD had been secured with FileVault full-disk XTS-AES 128 encryption for the only user account configured on the MacBook.
By the time the MacBook® was brought to a Stellar® data recovery service center, it was in an unbootable state. It could only be rebooted with a fresh OS installation which would overwrite the erased data.
Problem Statement:
- The client needed to recover the entire 400 GB data from the unbootable and encrypted drive which also didn’t have a backup.
- Further, data recovery was needed without removing the SSD from the MacBook, as that would void the OEM warranty.
Data Recovery Approach – Steps, Challenges, and Solutions:
Stellar data care experts managed to retrieve the entire data successfully by using a mix of standard and proprietary data recovery tools and techniques followed through the stages of disk cloning, decryption, and data recovery, as follows:
1. Imaging the Mac SSD to an external HDD:
Imaging the Mac SSD was a critical step to obtain a ‘logical’ replica of the drive that could be cloned and further operated to gain access for decryption and data recovery. Without disk imaging, it wouldn’t be possible to operate on the native SSD’s system and data while it remained inside the MacBook.
The disk imaging step however faced an impediment— the MacBook had only one USB-C port which couldn’t be directly connected to the USB 2.0 Standard-A connector on the external HDD.
This problem was overcome by using a USB-C to USB 2.0 adapter for connecting and imaging the MacBook SSD, which was completed in 4 days.
2. Cloning the HDD image of Mac SSD:
Stellar data care experts used proprietary cloning software to create clones of the MacBook SSD via its HDD disk image. The process copied entire data of the SSD including the information to boot to the operating system on the original drive.
The clones were created on two separate HDDs to serve as backup in case of any contingency which was anticipated considering the complexity of this case. Disk cloning was completed in a day’s time.
3. Decrypting the Mac SSD clone:
Decrypting the Mac SSD clone was the most challenging aspect of this data recovery case. The challenge began right with— how to access the clone of a native MacBook SSD having disk-level encryption on a secondary host (non-OEM machine)? This would essentially require meeting two necessary conditions —
- Mounting the clone on a secondary host machine that could emulate the original MacBook hardware to test out the possibilities of decryption.
- Devising a mechanism to enter the password for FileVault-enabled account so as to unlock the encryption key.
Stellar® R&D engineers broke down this formidable problem into smaller pieces, as follows:
- Mounting SSD clone and recreating the login screen:
- This step focused on recreating the login screen for entering the password for FileVault enabled account. As the clone was essentially a formatted boot volume with disk-level encryption, macOS couldn’t boot into the main system on the startup volume; so, there was no screen or mechanism to input the decryption key.
- Stellar® R&D team implemented a proprietary technique to reconstruct the necessary information which enabled them to boot the drive from powered-off state and prompt the password screen via a Windows machine. Subsequently, the team requisitioned the password for the FileVault-enabled account from the client and entered it to unlock the encryption key that protects the startup volume.
Decrypting the clone via command line:
The encryption key unlocked after successful account login was entered to decrypt the Startup volume. However, the decryption process couldn’t complete due to the following reasons:
- The APFS file system on the drive was found to be corrupt, due to which the decryption process was getting hindered.
- The Device Block Size of the original MacBook SSD was 4096 bytes (as compared to 512 bytes on ordinary SSDs), which could be decrypted only on the original Mac device.
The R&D team did certain changes on sector level to begin decrypting the APFS boot drive via command line. This was achieve by connecting the MacBook SSD clone (HDD) to the original MacBook and using command line to fully decrypt it on the host machine.
The drive was successfully decrypted in about 7 days’ time, and the challenge was to trace down and recover the data by wading through the SSD’s unknown (and unaccounted) history of erasure.
4. Deep scanning for data recovery:
After successfully decrypting the clone HDD and regaining unrestrained access to the erased volume, the next step was to perform data recovery.
The data care experts used Stellar® Data Recovery Software to deep scan and perform file signature-based search to locate fragments of the lost data on the erased drive.
The software managed to retrieve the entire 400 GB data from the HDD. The data was recovered intact, with full integrity, as verified by the client.
Result
Stellar data care experts managed to recover the entire data with 100% integrity and delivered it within the committed timeline.
“Thanks to stellar for recovering my important data from my MacBook hard drive. I am very satisfied with services and the staff cooperation from Stellar. I am happy to take stellar data recovery services.”
Statement from the customer:
"We are thrilled with the successful recovery of 400 GB of data, restored with 100% integrity by Stellar. Their expertise ensured that all our critical information was retrieved perfectly."
Individual User
Read More Case Studies
Individual User
Recovered 512GB from a Physically Damaged MacBook Pro with APFS Encryption
Individual User
Data Recovery from a TRIM-Enabled LITE-ON 120GB SSD
Leading Mining & Natural Resource Company
RAID 5 Recovery - 25 TB Data Recovered for a Prominent Mining & Natural Resource Company
Leading Matrimonial Services
