cgsecurity.org

long story short! i keep encrypted .dmg of my boot disk. i thought i had saved the password, but apparently. ow.

if i can recover the keychain from unencrypted apfs volume, i hope my password is inside. i know my keychain password of course

the ssd has already been overwritten with debian and several gigabytes.

i am dd’ing the disk now... any advice? will testdisk help with apfs?

or is it up to photorec? will it find mac keychain files?

TestDisk will probably not work as too much data has been overwritten.

I don't know which format is used by mac keychain.
You can try with a known keychain file using fidentify or online via https://www.cgsecurity.org/photorec/

thanks for getting back to me.

fidentify says 'login.keychain-db: unknown'. Is it necessary to upload a keychain file? I would prefer not to.

from a little cursory searching, it looks like an encrypted sqlite database. i can read some of the schema in a hex editor, such as "CSSM_DL_DB_SCHEMA_INFO".

one fact that might help, when reading with hex editor, the two files i tested both start with '6B 79 63 68' which is 'kych'

can i use this information with photorec somehow?

thanks

I've tried recovery with a couple of other tools and they both have the same behaviour. The login.keychain file is all 0000. I am wondering if this is a security element at play here?