long story short! i keep encrypted .dmg of my boot disk. i thought i had saved the password, but apparently. ow.
if i can recover the keychain from unencrypted apfs volume, i hope my password is inside. i know my keychain password of course
the ssd has already been overwritten with debian and several gigabytes.
i am dd’ing the disk now... any advice? will testdisk help with apfs?
or is it up to photorec? will it find mac keychain files?
need to recover keychain from apfs
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
-
cgrenier
- Site Admin
- Posts: 5432
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
- Contact:
Re: need to recover keychain from apfs
TestDisk will probably not work as too much data has been overwritten.
I don't know which format is used by mac keychain.
You can try with a known keychain file using fidentify or online via https://www.cgsecurity.org/photorec/
I don't know which format is used by mac keychain.
You can try with a known keychain file using fidentify or online via https://www.cgsecurity.org/photorec/
Re: need to recover keychain from apfs
thanks for getting back to me.
fidentify says 'login.keychain-db: unknown'. Is it necessary to upload a keychain file? I would prefer not to.
from a little cursory searching, it looks like an encrypted sqlite database. i can read some of the schema in a hex editor, such as "CSSM_DL_DB_SCHEMA_INFO".
one fact that might help, when reading with hex editor, the two files i tested both start with '6B 79 63 68' which is 'kych'
can i use this information with photorec somehow?
thanks
fidentify says 'login.keychain-db: unknown'. Is it necessary to upload a keychain file? I would prefer not to.
from a little cursory searching, it looks like an encrypted sqlite database. i can read some of the schema in a hex editor, such as "CSSM_DL_DB_SCHEMA_INFO".
one fact that might help, when reading with hex editor, the two files i tested both start with '6B 79 63 68' which is 'kych'
can i use this information with photorec somehow?
thanks
Re: need to recover keychain from apfs
I've tried recovery with a couple of other tools and they both have the same behaviour. The login.keychain file is all 0000. I am wondering if this is a security element at play here?