Recover files from a damaged Macintosh disk

Recovery of files form Macintosh disks

Apple Macs use a file system called HFS, and HFS+. CnW Recovery has routines to assist in reading and recovering such drives. The CnW, PC Windows program will often read and recover disks that standard Mac tools cannot touch. Files recovered are stored on the PC, but fortunately, Macs can always read PC CDs and DVDs, so transfer back to a Mac is not an issue.

Many Mac drives do start differently as they do not have a compatible boot sector, but a Mac drive will typically start with a sector where the first 2 bytes are always ‘ER’ The next few sectors start with the letters ‘PM’. Details of partitions are stored in these sectors, but typically Mac disks only have a single partition. CnW Recovery software will allow for 3 partitions.

Current Mac systems do have a more compatible master boot sector. It has a single entry with a file partition type of 0xEE. Following this sector are up to 31 partition sectors, and the first one always starts “EFI PART”. Details of each logical partition are then stored in 128 byte entries.

When CnW reads a Mac disk it will detect that it is a Mac disk and go to the Macintosh Recovery screen where various parameters on the disk will be displayed. This includes the option to scan the disk for existing partitions, as well as the ability to change the values for possible starts of a partition, block size and other parameters.

There three ways that files may be recovered, a full logical, a mode that extracts every leaf node from the catalog, and final one that scans the compete disk for catalog leaf nodes. Where a complete directory path cannot be generated, dummy directory names will be created. There are several tools that allow for scanning of the disk and locating possible partition starts and catalog starts so that truly corrupted disk can still be recovered without too much trial and error.

Resource forks
A Mac stores data in two sections, a data fork and a resource fork. For most files the resource fork is empty, but for certain files, both forks exist. On the Mac, both forks are stored in the same file, and so only one name is used. The method used to store these files on a PC is to use the AppleDouble format which is compatible with OS X. This creates a separate file for each data fork, and each resource fork. The resource fork file also contains metadata giving details of the application that should be used to open the file. If the main file is testfile.doc, the the associated resource fork will be a hidden file ._testfile.doc

Copy problem - resolved
When copying files from a PC disk to a Mac it has been common to see the error message below displayed on the Mac

'The operation cannot be completed because you do not have sufficient privileges for some of the items'

CnW Recovery have worked on a solution that so far appears to help. The problem has been tracked down to short cuts and hypertext links pointing to non existent files or applications. To overcome this problem, CnW software now examines the resource forks of files being created and removes the ‘slnk’ and hlnk’ values in these files. The current results are encouraging, and copy copies of recovered disks can now be performed with out stopping for errors. A recent recovery involved copying 400GB of data from a CnW created NTFS disk of files to a Mac. This copy proceeded without a pause, and all files copied.

Recovery from a Remote Wipe - it may be possible!

Remote Wipe
Apple has a security feature so that if your apple device is stolen it can be remotely wiped, and so there is no danger of your security being compromised. Is it safe, and can the data be recovered.

On the basis of one such example, and also a similar report from an American journalist, the answer is that the wiping is not complete, and much data can be recovered. Our customer had a Mac that was in effect blank and so no access to the data. In order to recover any possible data it was necessary to create an image of the internal disk drive, or logical storage.

Disk image process.
The Macbook Air is a very slim device and does not contain a standard disk drive. Many contain SSDs. Also the problem of cracking the case open is not for the faint hearted so to obtain an image of the hard drive, the Apple was booted with Linux. This process is simple (and there are probably several ways of doing this).

● Create a bootable Ubuntu DVD (DVD image is downloaded from http://www.ubuntu.com/download (Version 12 was used in this case).
● Insert DVD in Apple, or external DVD drive. On power up press the ‘c’ key, and the apple will boot off the Ubuntu disk.
● Supply an external (probably USB) disk drive large that the internal drive capacity
● Make sure the external drive is clean to prevent any data contamination.
From Ubuntu determine the drive device names and the do a ‘DD’ from the internal drive to the eternal drive. An ● example might be
sudo -i
dd if=\dev\sda of=\dev\sdc - This was a slow process and there may be a better command
● The final result will be an image of the Mac drive on the external drive

What was on the drive

● Yellow - blank sector.
● Cyan - Compressed data, or a sector with more than 200 different byte values.
● Red - a possible file signature, will be the start of file with data carving

For a good disk one would expect to see the start with many files (mainly compressed data, cyan) but with many file starts (red line). On the recovered image the compressed data started at sector 0x64028 which is where the file system normally starts. There was an area of random data (could also be encrypted, but not possible to tell). Then the disk is padded to about 64GB with blank sectors. This means that for the 250GB disk drive, the first 25% has been wiped, and no recovery will be possible. The rest of the disk does contain data.

Data recovery
The examination above shows that the first 25% of the has been wiped, and this will contain most of the directory structure of the disk. Thus the only way to recover data is with data carving. The CnW data carving routine found many thousands of photos, and the majority were not fragmented. There were also many good videos.

Will this always work?
It is not possible to say if this process will always work. The curious fact is that on the example we saw, and the one reported in America, both had the same 64GB of data overwritten. It was suggested that was the amount that was written before the process was stopped. It could however be that it is all that is overwritten. It does look as recovery of 75% of data may be possible, although with the restrictions of data carving. CnW does though often product filenames containing the date of a photo, or title of an MP3 or DOCX file even when data carving. Download demo here.

With SSDs, there may always be a problem of TRIM commands working in back ground removing data