Recovering APFS Data

One of my usual holiday duties is to fill the role of family tech support. This year I was assigned the difficult case of recovering data off of a seemingly broken-beyond-recovery SSD. The MacBook Pro in question was close to 10 years old and I had swapped a Samsung 850 Evo SSD into it a few years prior. The owner mostly lives on his iPhone and does not rely on the MacBook for intensive daily work tasks. The MacBook appears to have had some kind of internal hardware fault which lead to the corruption of the filesytem. After removing the SSD from the MacBook I tried to plug it into my Mac via SATA to USB adapter in order to run through a basic data recovery strategy but I quickly noticed that it was behaving in all kinds of unexpected ways. My Mac instantly recognised the drive itself, but was never able to activate or mount the any partition of filesystem.

It was there and appeared to within reach, but greyed out. I tried running First Aid on the drive and partition via Disk Utility but it kept spewing errors that didn’t give me any hope. After briefly googling I found that not much is available and most existing tools are still in the phase of trying to adopt APFS fully, like Disk Warrior.

After a bit more searching I found this great blog post describing a similar problem. On there a commercial but incredibly shady app was mentioned as well as the OSS, but experimental solution libapfs on Github. I first downloaded the commercial app, scanned the drive and saw that it was able to read the data on drive and reconstructed entire directories in the filesystem. This gave me hope right away. I stopped the scan, downloaded the Github project and started compiling it. The difference between the commercial data recovery app and libapfs was basically trying to read every block on the drive and reconstruct what made sense to it while the libapfs is trying to work around the formatting problems to actually mount the partition as usual so that you could open it via Finder and pull the data off the drive like you would usually do. After going through the fairly complicated compilation steps to setup libapfs it ended up not being able to read the drive which meant that this thing was properly scrambled.

% sudo fsapfsinfo /dev/disk3     
fsapfsinfo 20201107

Unable to open: /dev/disk3.
libfsapfs_container_superblock_read_data: invalid object type: 0x00000000.
libfsapfs_container_superblock_read_file_io_handle: unable to read container superblock data.
libfsapfs_internal_container_open_read: unable to read container superblock at offset: 0 (0x00000000).
libfsapfs_container_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input container.

A few years ago I had to run through the same process after HFS+ on my then brand new 5k iMac decided to mess itself up to the point of no return. All data recovery apps appear incredibly shady and back then I had settled on buying Disk Drill which allowed me to recover all my data as well as not do anything else that I didn’t approve of.
I think out of the few Mac data recovery companies that I have looked at the makers of Disk Drill appear to be one of the least shady ones. Maybe I am entirely wrong about this, who knows. The app works really well and starts out with a quick scan before it really does go through the entire drive in order to reconstruct everything.

Disk Drill was also able to reconstruct the entire macOS filesytem structure and I was able to walk through the user folders with the owner to recover all the valuable data. It was mostly a few photos and documents like CVs, etc. which totaled at around 10-20GB. He kept insisting that it was fine if he was going to lose the data but I had seen family pictures during the first scan which may not be valuable to him now but may become very valuable to him in the future. My goal was recover absolutely everything.

I do believe that this method is not possible if Full Disk Encryption is enabled, so I would recommend against enabling it if your valuable data only exists on that very Mac. Companies like Backblaze will happily back your data up and store it encrypted for you.
Another option would be to have another copy on an external drive or on a local NAS which automatically backs up your Mac like a Synology. Synology is probably the correct solution for most people as it gives you commercial support if you need it. I personally opted to build my own thing and run FreeNAS which has recently been renamed to TrueNAS Core, and I really enjoy it.

I hope that this little summary of what I attempted in order to solve this problems is going to help somebody out there, even if it’s just an endorsement to buy Disk Drill to recover your data.

31.12.2020