Mounting encrypted MAC partitions
Dear all on forum…
I have been asked if I can recover and decrypt data from an external hard drive.
From asking how the data was encrypted, it sounds like the native MAC application 'Disk Utility' was used to encrypt it. However, half way through the encryption, this was cancelled (the decrypt option was selected) as the owner of the drive realised that 'My whole life is on this and I haven't backed it up… probably a good idea if i did that first before encryting it' lol Hence, why the decrypt was pushed as a kneejerk reaction to the above.
from looking at it in 'diskutility', it states in some screens that the drive is completely full, and in other screens that there is nothing there?
However looking at it in Xways, almost 60% has raw data in, with no obvious text or breaks, so it makes me think that the encryted data is there.
I have tried running encase scripts, and blacklight over it and (as expected) it carves nothing.
I can not get the 'enter password' to prompt either.
So does anyone know if there is a way of carving out (what looks to be) the encrypted data section, mounting it, and then entering the password to decrypt it all?
Its a long shot i know, but any help is most appreciated.
I assume it's been encrypted with the File Vault process? If that's the case I would actually suggest reconnecting the drive to the original machine and running through the encrypt process in its entirety and then running the decryption from after that.
I've never had much luck attempting to decrypt drives/images with third party tools that have been encrypted via the File Vault utility.
Thanks so far for all the help guys… most appreciated.
@AGP_Analyst - He said the drive was encrypted using standard MAC tools (hadn't downloaded anything in order to encrypt the drive), so I would imagine that file vault was used. Still…certainly worth a go.
@Calimelo - Thanks for the command line as that saves me time and a half going through all the forums!
Will let you know either way on the above.