Skip to content

Instantly share code, notes, and snippets.

@r0mdau

r0mdau/HFS.md

Last active October 20, 2024 15:31
Show Gist options
  • Save r0mdau/f260135d862c0fcfd04fc9555438f530 to your computer and use it in GitHub Desktop.
Save r0mdau/f260135d862c0fcfd04fc9555438f530 to your computer and use it in GitHub Desktop.
Download ZIP
How to recover pictures and files from failed MacOS / HFS+ hard drive with Linux
Raw
HFS.md

How to recover pictures and files from failed MacOS / HFS+ hard drive with Linux

A couple months ago, a friend ask me to repair a failing macintosh.

It appears the hard drive has multiple failures from SMART anlysis.

Next reboot... Oh crap, the operating system does not start anymore. The drive contains 10 years of pictures to recover. A heart pinch :'(

Important thing to know, if (certainely) the disk is crypted and you don't know the principal user login password, this tutorial will not help you.

But it's going to be exciting, so let's GO and deep dive inside HFS !

1st backup smoothly the drive

This first step is not mandatory. You can work directly on the drive. But it's the longest and safest way to proceed.

To begin, identify the partition containing datas, usually it's the second partition. And after, rescue datas.

I use GNU ddrescue to do the job :

# -f to overwrite output device or partition
# -n to skip the scraping phase --> copy first non damaged zones
ddrescue -n -f /dev/sdb2 /media/safe/disk.img mapfile

# -r retry passes 3 times --> try directly damaged zones
ddrescue -r3 -d -f /dev/sdb2 /media/safe/disk.img mapfile

/media/safe/disk.img will be the file image of the partition. Note the safe word in path :D

And after ddrescue the third (or next) partition because it contains a precious 'wipekey'.

2nd mount HFS+ image

Install prerequisites

Two packages needed for next steps on Linux Debian distros

apt install -y hfsplus libfvde-utils

Check sector size and first sector

fdisk -l disk.img
-->
Sector size (logical/physical): 512 bytes / 512 bytes
...
Device  Start   End Sectors Size    Type
disk.img    1550336 976771071 975220736   465G Apple Core storage

Check if filesystem is encrypted

# 512 represents sector size and 1550336 the first sector
fvdemount -o $((1550336*512)) disk.img /media/hfs
-->
Unable to unlock source volume

If no message, the image is mounted, you can continue to the 3rd step.

But if you see this message, the image is encrypted.

Mount encrypted filesystem

For this step you need to mount the third partition of the drive : /dev/sdb3. As mentionned previously, I ddrescue it to /media/safe/wipekey.img.

And you need the user session PASSWORD.

mount -t hfsplus wipekey.img /media/hfs_wipekey

# and the magic happens
fvdemount -o $((1550336*512)) -e /media/hfs_wipekey/com.apple.boot.R/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -p PASSWORD disk.img /media/hfs

Now you should find a file here /media/hfs/fvde1

2 options :

  • mount fvde1 --> you win
  • my case, corrupted filesystem, go to 3rd step

ps: mounting fvde1

mount -o loop,ro /media/hfs/fvde1 /media/my_pictures_are_safe

3rd time to photo recovery

Now it's time to read bit per bit every single bit in this filesystem. And for this hard task, the best software on earth, that kind of big heartache and deliverance after nights of tears : PhotoRec

So simple to use with a practical command line interface.

./photorec_static /media/open/fvde1

Go to the PhotoRec homepage to dig deeper, it can recovery videos, excel documents... 'excel on mac :o'

To conclude

I hope my english was not so bad since you have read this last line. And don't hesistate to contact me if I write something wrong.

@sydbarrett74
Copy link

Thank you for passing on this wisdom in such a concise and user-friendly fashion. Your writing surpasses that of many native English speakers I know, so no worries as far as that goes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment