How to recover pictures and files from failed MacOS / HFS+ hard drive with Linux

HFS.md

How to recover pictures and files from failed MacOS / HFS+ hard drive with Linux

A couple months ago, a friend ask me to repair a failing macintosh.

It appears the hard drive has multiple failures from SMART anlysis.

Next reboot... Oh crap, the operating system does not start anymore. The drive contains 10 years of pictures to recover. A heart pinch :'(

Important thing to know, if (certainely) the disk is crypted and you don't know the principal user login password, this tutorial will not help you.

But it's going to be exciting, so let's GO and deep dive inside HFS !

1st backup smoothly the drive

This first step is not mandatory. You can work directly on the drive. But it's the longest and safest way to proceed.

To begin, identify the partition containing datas, usually it's the second partition. And after, rescue datas.

I use GNU ddrescue to do the job :

# -f to overwrite output device or partition
# -n to skip the scraping phase --> copy first non damaged zones
ddrescue -n -f /dev/sdb2 /media/safe/disk.img mapfile

# -r retry passes 3 times --> try directly damaged zones
ddrescue -r3 -d -f /dev/sdb2 /media/safe/disk.img mapfile

/media/safe/disk.img will be the file image of the partition. Note the safe word in path :D

And after ddrescue the third (or next) partition because it contains a precious 'wipekey'.

2nd mount HFS+ image

Install prerequisites

Two packages needed for next steps on Linux Debian distros

• to mount HFS+ you will need hfsplus
• to mount crypted HFS+ you will need libfvde-utils

apt install -y hfsplus libfvde-utils

Check sector size and first sector

fdisk -l disk.img
-->
Sector size (logical/physical): 512 bytes / 512 bytes
...
Device  Start   End Sectors Size    Type
disk.img    1550336 976771071 975220736   465G Apple Core storage

Check if filesystem is encrypted

# 512 represents sector size and 1550336 the first sector
fvdemount -o $((1550336*512)) disk.img /media/hfs
-->
Unable to unlock source volume

If no message, the image is mounted, you can continue to the 3rd step.

But if you see this message, the image is encrypted.

Mount encrypted filesystem

For this step you need to mount the third partition of the drive : /dev/sdb3. As mentionned previously, I ddrescue it to /media/safe/wipekey.img.

And you need the user session PASSWORD.

mount -t hfsplus wipekey.img /media/hfs_wipekey

# and the magic happens
fvdemount -o $((1550336*512)) -e /media/hfs_wipekey/com.apple.boot.R/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -p PASSWORD disk.img /media/hfs

Now you should find a file here /media/hfs/fvde1

2 options :

• mount fvde1 --> you win
• my case, corrupted filesystem, go to 3rd step

ps: mounting fvde1

mount -o loop,ro /media/hfs/fvde1 /media/my_pictures_are_safe

3rd time to photo recovery

Now it's time to read bit per bit every single bit in this filesystem. And for this hard task, the best software on earth, that kind of big heartache and deliverance after nights of tears : PhotoRec

So simple to use with a practical command line interface.

./photorec_static /media/open/fvde1

Go to the PhotoRec homepage to dig deeper, it can recovery videos, excel documents... 'excel on mac :o'

To conclude

I hope my english was not so bad since you have read this last line. And don't hesistate to contact me if I write something wrong.

Hey, thanks so much for this write-up!

For the first step, did you run it without the -r3 flag? as you mentioned the r3 flag is for retrying passes 3 times, so do I need to retry them or will I be ok without using the -r3 flag? Thanks!

Edit: I got it now after reading the manual! You run the second command to try and rescue the bad sectors.

Thank you for passing on this wisdom in such a concise and user-friendly fashion. Your writing surpasses that of many native English speakers I know, so no worries as far as that goes.