0

Last night, I decided to try creating a Windows 10 recovery disk and boot from it on my Mac. While I was successful in formatting an SD card with the Windows recovery disk and booting to it, I made an error when I was prompted for a partition to install Windows on. Yep, I incorrectly selected my OS X partition where Windows 10 was installed. When I turn on the computer, it boots straight to Windows unless I hold down the Alt key.

I wasn't initially concerned as I thought everything on there was backed up, in the cloud, or not needed, but this morning, my wife asked if our wedding photos were safe (close to 200GB worth). I checked an old external HDD I used for Time Machine backups and the backups stopped before the photos were on the PC... Probably the photos were too big for the drive. I really thought I had them backed up somewhere else, but it doesn't look like I do.

I have a mid-2015 Macbook Pro with Ventura and used hard drive encryption when I initially set up the computer with OS X. Is there any possible chance I can still retrieve these photos? I figure since I've had the computer since 2016, and these photos were put on there in 2019, they wouldn't have been overwritten by the Windows installation. But, the fact that the drive is encrypted makes me feel this might be a lost cause, not to mention that this is APFS and not a lot of data recovery programs support it.

I'm concerned if I re-install OS X, that a new encryption key will be used and make recovering anything from the disk impossible. But maybe there's something I can do with the old Time Machine backups? Or any way to ensure the same encryption key is used for the drive when re-installing OS X?

Daniel Pulitano
  • 1

1 Answers1

1

I have a mid-2015 Macbook Pro with Ventura and used hard drive encryption when I set up the computer..

Your old data is gone. In fact turning on encryption is the exact thing that Apple recommends to prevent your data from being accessed when you erase your drive.

I'm concerned if I re-install OS X, that a new encryption key will be used and make recovering anything from the disk impossible.

This is by design. Deleting files is one thing. Deleting encrypted files means you are deleting data that was intentionally “scrambled” to begin with. No tool will be able to put that puzzle back together.

But maybe there's something I can do with the old Time Machine backups?

It’s impossible to recover data from where it didn’t exist previously. You’d need to go back in time (no pun intended) and backup those photos for (Apple) Time Machine to be of use now.

Allan
  • 101,432
  • Thanks for the quick reply, @Allan. Trying to understand this a little better: would TRIM automatically apply for the Windows installer as well? If it didn't, and there were somehow a way to restore OS X with the same encryption key, in theory would I be able to run some data recovery program? – Daniel Pulitano Mar 13 '23 at 21:40
  • TRIM has nothing to do with the OS and everything to do with the drive interface. When the OS sends the command to delete, the hardware takes over snd marks the block for deletion and available for writing. Once you overwrite a drive and encrypt it, every block that had the the tiniest potential to be recovered is now sent into oblivion. – Allan Mar 13 '23 at 21:44
  • Got it. I just want to clarify that the encryption was set up for the initial OS X installation, but I don't believe the Windows data is encrypted. It sounds like that may not make a difference though because when I told the Windows installer to erase this partition, the SSD's TRIM mechanism will set the data to 0s? – Daniel Pulitano Mar 13 '23 at 21:53
  • It doesn’t matter. It was encrypted first which makes data recovery impossible. Then you overwrote it which made the impossible even more impossible. What TRIM is set to means nothing, it can be zeros or garbage. Either way, the data is gone. – Allan Mar 13 '23 at 21:56
  • I appreciate your time to respond. I'm wondering if you can shed light on why "It was encrypted first which makes data recovery impossible" is the case before I accept the answer. Is the encryption key-hash (I'm prob using incorrect terms) stored in some deterministic sector on the hard drive or in a separate chip? Can you speak to my theory that I might be able to restore that? As for the overwriting of the data -- I'm not so sure. My guess is that the Windows installation is only a few GB of data, and would be stored near in early sectors of the SSD. My pictures would be in later sectors. – Daniel Pulitano Mar 13 '23 at 22:13
  • 1
    When you encrypt, you scramble the data where a key is needed. When you erase, you’ve marked each block for writing and instructed any read command to return a zero, then you overwrote those same bocks with new data. Think of taking a gig-saw puzzle, covering the picture with special paint so that only a special light will let you see the contents. Then scramble them into their individual pieces, then bleach them so the paint and original image is gone. Now try to put it back together. All you”ll have is a blank canvas. This is basically the scenario you’ve got. – Allan Mar 13 '23 at 22:41
  • Im still curious if you or anyone else knows how the 2015 MacBook pros (pre-T2) decrypt hard drives to read it. Is there a certain file or section in the hard drive that has the function, which when a correct password is passed, will decrypt the disk? Does this data change over time or is it set once when you set up the computer?

    I realized now that my Time Machine backups are data only, but if they were a full image of the disk, I wonder if this decryption function could be restored

     – Daniel Pulitano Mar 16 '23 at 12:41
  • Whether or not you have a key, *the data has been overwritten*, T2 chip or not, the data is gone. Full stop. – Allan Mar 16 '23 at 13:56