cgsecurity.org

I accidentally deleted files with rm on my Macbook (macOS Catalina 10.15.7) which has a FileVault-encrypted disk.

I tried running Photorec on all combinations of /dev/disk0, /dev/rdisk0, and /dev/rdisk1 and their partitions: unknown (entire disk), EFI System, and Apple APFS. The deleted files were various bits of source code so I selected tx? and txt file options. The only results were a small number of .plist files.

Would it be wise to turn off FileVault and rerun Photorec? I fear that unencrypting the disk would rewrite everything and wipe out any remaining chances of recovering those files.

I have no experience with Apple.
Is this File Vault 2?
If yes the whole disk is encrypted.
Similar to other whole disk encryption schemes in addition to the raw encrypted block device there should be a virtual unencrypted block device.
You should run Photorec with this device.
The fingerprints that Photorec are using are not visible anymore on encrypted devices.

Yes, it's encrypted with FileVault 2. Is the virtual unencrypted block device supposed to be in the list of disks? The only disks Photorec lists are /dev/disk0, /dev/rdisk0, and /dev/rdisk1, which I've already tried.

I have no experience with Apple, sorry.