Data recovery on a failing, HFS+ formatted, Encrypted HDD?

[Krynn72]

Now, before I go any further I should say that I plan on telling him to go to a specialist since I've never done data recovery on a failing, encrypted drive before, but I'm wondering how you guys do this?

So the other day my sister's boyfriend came in with a hard drive he said belonged to a local university's graphics department. It was an external drive (just the internal hdd was brought, no enclosure, I think my sister did a quick test to see if it was just the enclosure and then told him to come here). I think it was from a WD MyBook drive though he wasn't sure. It was a WD Green (eugh) 1TB and he said there was about 150 gigs of important data they needed off the drive.

So I checked it in, plugged it into a test machine to see the state of it, and the smart status lists lots of offline UNCs (300ish) and miniXP showed the drive as unpartitioned. I cloned the drive immediately, right before closing and the cloner (Disk Jockey Pro) said it had to skip ~230 sectors. The next day he comes back in to drop off another external drive for the data to be put onto, and then mentions that there was a password to open the drive, which he didn't mention before, and which explains the "unpartitioned" space I saw. He also says its used exclusively on macs.

He couldn't remember the name of the software, but when I brought up WD Drive Lock he said the interface looked the same but that theirs looked like an older version. However the Drive lock software doesn't recognize a compatible HDD when either the clone, or the original drive are connected.

So I have two main questions I guess. The first is, would I even be able to attempt recovery from a cloned drive, or would the encryption software see that its no longer the same drive/control board and not let me do anything? And either way, how would I go about decrypting a drive that's bad enough that the software seems to not even see the drive anymore (or am I just possibly using the wrong software)?

 

[Larry Sabo]

The encryption is performed by the USB-SATA bridge that's incorporated into the case. It can be further encrypted by the software used to back up the data (WD SmartWare). The encryption key is stored on a sector at the end of the drive and is accessible only by the bridge board, and if that's not recovered by the cloning process, you're out of luck. If they didn't use a SmartWare password, you might luck out with a sector-by-sector clone and the clone installed in the original USB-SATA bridge.

Depending on the severity of the damage to the drive, you might have to use a hardware duplicator/imager that does a better job of recovering data from bad sectors than ddrescue or regular cloning program that skips bad sectors. If the drive has bad heads or damaged firmware, there is nothing you can do to recover the data. I would stop right now and refer the case to a data recovery specialist if the data has any value.

 

[Markverhyden]

As mentioned you need to stop doing anything if they place any real monetary value on the data. Contact RecoveryForce or 300DDR. If they are just on a fishing expedition then go to town.

You need to get it back into the enclosure or a working enclosure so you can properly look at the drive. WD does use their USB-SATA bridge to "encrypt" the data which is a bad surprise many are finding out. Once in a working enclosure you should be able to see it with the appropriate OS. If it's used exclusively for Mac's they have probably reformatted it to HFS+, doubt they did FAT.

As far as drive encryption itself. Not aware if the WD software works in OS X. Most Mac users I work with, including myself, are using the OS X built-in file vault software for encryption purposes. But you never know.