reallymine
reallymine copied to clipboard
andlabs
Attempting recovery from a 4TB WDBUPB0040JSL
Hey folks! I'm trying to figure out how to retrieve data from this drive and I'm hoping I can get help here. The drive model is WDBUPB0040JSL-00 which is a 4TB Thunderbolt Duo. The enclosure has failed but the drives seem to be intact (at least based on the WD diagnostic tests). I'm unsure of what the chip is inside.
For this part, I'm going from memory since I'm not at home currently. Forgive me if I'm missing necessary details. I can provide more details when I get home later today, if necessary.
I've pulled one of the drives (the one marked "A") and I'm attempting the recovery with an Ubuntu book disk. When I fdisk -l /dev/sde, it's showing /dev/sde2 as a "Apple RAID" type. I believe the RAID is a RAID 1 mirror. I'm not sure that the drives are actually encrypted however, I haven't had any luck when trying to mount -t hfsplus /dev/sde2 /media/recovery. The error I get from mount is "wrong fs type, bad option, bad superblock on /dev/sde2, missing codepage or helper program, or other error". My assumption is that drive encryption might cause this but I'm also thinking that this partition could also be another FS type that may or may not be supported by linux.
Chasing the encryption possibility, I loaded go and reallymine and ran sudo ./reallymine decrypt /dev/sde /media/external. I ended up leaving this run for about 24 hours but ultimately decided to kill the process since the target image file was still reading 0 bytes. After reviewing the README more, I decided to ddrescue the drive to an image and try to locate the DEK on the image with sudo ./reallymine dumpkeysector /media/external/recovery.img ~/keysector. This is still running at the moment (as far as I know) and has been running for going on 2 days. My thinking now is that the script is performing a slow sweep for the key sector since it's not in any known expected places.
I'm wondering now if I'm on the right path with this. I've read in some of the other issues that folks can whether it's encrypted or not by running file -s on the drive but I don't know what I'm looking at there.
Any help here is greatly appreciated. Thanks!
The fact that you can see that it is Apple RAID indicates already that the disk is not encrypted.
I should probably add a heuristic that would try to see if the disk might already be unencrypted and warn about that, but that'll have to wait for when I do rewrite this.
Thanks @themaddoctor . I know this is out of scope for reallymine but do you have any pointers for getting this thing mounted? I can't find much information what "Apple RAID" is or which filesystem it uses. I've tried HFS+ but no luck there. I feel like Apple propriety is going to force me to hunt down a MAC.
RAID1 means that the two disks are copies of each other. There has to be a file system on there somewhere. What kind of file system depends on the computer that was using the disk, I suppose.
You might try testdisk to see if it can find the file system. I don't use that app often, so I can't tell you how, but try to find an option to NOT alter the disk if it finds anything.