cgsecurity.org

Hi folks,

First thanks to cgsecurity for making this suite - awesome work!

I've ran into a problem, and I'm getting the same result on both Windows and Linux.

I've taken a dd img of a drive from an old apple laptop I own. I'm trying to recover data from the "Apple Core Storage" partition. I'm aware that there's a HFS+ partition wrapped in there, and that I need to do a calculation to set a limit on mount. However, TestDisk isn't giving me the response I expected as can be seen below.

1) On loading up an image with TestDisk I get the following:



2) So, I proceed with a quick scan with the following result:


You can see that the middle partition, the one I'm interested in, is not listed.

3) I proceed with deeper scan and I get:





4) I tried PhotoRec to see if it would recover files (to determine if the drive was encrypted), some files were recovered but as far as I can tell they were unreadable. I don't know what this means (Is PhotoRec trying to build files from encrypted mumbo-jumbo? Is the drive simple half-dead?)

Can anyone think of anything which may be causing this?

TestDisk can not (for the moment) recover lost Apple Core Store partition but you don't need to recover a lost partition, so it's not really a problem.
If PhotoRec didn't recover meaningful files, it's probably because the filesystem is encrypted.
Unfortunately I have no solution in this case.

cgrenier wrote: 01 Dec 2021, 18:48 TestDisk can not (for the moment) recover lost Apple Core Store partition but you don't need to recover a lost partition, so it's not really a problem.
If PhotoRec didn't recover meaningful files, it's probably because the filesystem is encrypted.
Unfortunately I have no solution in this case.

I had a feeling this might be the case, I'm going to have to borrow a Mac and try and remember a 10 year old password... or mount it some other way.

Thanks for the reply!

I'll post back if I find a solution.