I accidentally formatted an external 1TB HD to FAT file system using Disk Utility in Mac OS. The disk used to be HFS+ encrypted. Encryption was done when I created the OS X Extended partition, not using File Vault.
Any chance to recover any data at all? Can I somehow recover the partition information and rebuild the table?
Best Answer
Under certain circumstances a deleted external HFS+ encrypted volume can be recovered after the disk has been formatted to a FAT32 volume:
If nothing has been written to the FAT32 volume those parts shouldn't be overwritten.
To recover the encrypted volume you have to use Terminal and do some math.
Open Terminal and enter:
to get an overview and the disk identifier of the external disk. Below I assume the disk identifier is disk1
sudo dd if=/dev/disk1 of=/Volumes/BackupVolume_Name/disk1.bin
just in case something goes wrong or for a future with advanced recovery tools.Now get the partition table of the disk with:
You should get a similar result as this one:
The first partition is the EFI volume, the second the FAT32 volume of the external disk. Your partition 2 is much larger than the one in the example though.
Even if you get a different output with no GUID partition table but only an MBR
you can continue: encrypting a disk with FileVault requires a GUID partition table - so your disk previously had one. The probability to recover a FAT volume on a disk with a MBR seems to be much lower though. Apparently parts (namely some metadata and volume headers) may be overwritten by FAT32 file system stuff.
The same disk containing an encrypted external HFS+ volume should look like this:
The first partition is the EFI partition with a fixed size and start block, the third one is an Apple_Boot partition with a fixed size and start block relative to the last block of the disk and the remaining disk space allocated to the encrypted Core Storage Logical Group. All partitions are aligned to the physical block size of the disk (4096 Bytes).
To restore the old partition table you have to unmount the disk, delete the actual partition table and do some math to create a new one:
Now get the last block number of your disk (in my example that's 134217727) and substract 262183: LastBlockNumber-262183 is the start block of the 3rd partition (Apple_Boot). Add this partition with:
Check the size of the unallocated disk space between partition 1 and partition 3 with:
The size of unallocated disk space (UnAlloc) between index 1 and index 3 is probably the size of the old encrypted volume. The size has to be divisible by 8 - please check this! Add this as a partition with:
After entering the last command you should be asked for password of the encrypted disk. if not then try:
to get a list of CoreStorage items. Try to mount the encrypted volume with:
with LVUUID: the UUID of the encrypted Logical Volume (usually the last one listed). If your main volume is also encrypted choose the proper LVUUID!
If the volume mounts successfully save the most important files and folders to an external volume because mounting the encrypted volume doesn' t necessarily mean that the volume isn't corrupted.
Unmount the volume and run
diskutil verifyDisk /dev/disk1
anddiskutil repairDisk /dev/disk1
. The last command may completely corrupt the disk!This might still fail. The encrypted volume may still be recoverable though. But then I need more information, because special (invisible) non-file system items have to been read directly from disk with a HexEditor and then restored/replaced.