APFS data recovery using Linux

 · Systeemkabouter

Somebody I know had her Macbook Air crash a long time ago and took that event as a good time to get a newer model. But the data on the laptop was never recovered. Recently she was getting ready to get rid of old stuff and this old MBA turned up. I figured it would be fun to see if I could salvage some or all of the data.

Trying with Macos first

At first I tried some usual recovery path. Cleat NVRAM, recovery boot etc. I was lacking a USB bootdisk for the older hardware and my recent USB boot drives would not boot on the 2010 macbook. Creating or even downloading older releases of Macos on a fully updated Macbook turned out to be a non-starter. The app store will just complain that the software on the laptop is more recent. Yeah, thanks, I knew that. So apparently I need a rather old mac with a rather old Macos install to even create a rescue disk for this poor system. Reinstall of the OS via Internet Recovery is also not available anymore.

Looking for a recovery linux distro

There are some analysis/recovery geared linux distributions that contain specific tools. But I could not find any carrying support for apfs out of the box.

Zorin / Ubuntu to the rescue

So then I just tried the vanilla Zorin 16 USB stick I still had lying around. I booted the macbook air with it: success It detected the internal drive just fine, so I configured wireless network access en searched the apt repositories for anything apfs related. It turns out Zorin (but probably via the Ubuntu repos) carries a package called libfsapfs-utils

MBA 2010 running Zorin Linux from stick larger version

I installed the package and used the fsapsfsinfo command to explore the partition. This produced the following output: 

root@zorin:~# fsapfsinfo /dev/sda2
fsapfsinfo 20190210

Apple File System (APFS) information:

Container information:
    Identifier      : 52ad9d13-48e1-44d1-8fba-5ddef43eb88a
    Number of volumes   : 4

Volume: 1 information:
    Identifier      : 82b13768-382b-305d-8613-227f6081bed2
    Name            : Macintosh HD


Volume: 2 information:
    Identifier      : c25e4e1d-1fb2-427c-bf55-3bd686fe9623
    Name            : Preboot


Volume: 3 information:
    Identifier      : 494d991e-293a-4d3d-b717-0716909636df
    Name            : Recovery


Volume: 4 information:
    Identifier      : 76a98947-9ad3-4f0a-a723-e60ac19438e6
    Name            : VM

So than it was just a case of creating a mount point and trying to mount the first volume. 

# mkdir /mnt/mac
# fsapfsmount -f 1 /dev/sda2 /mnt/mac

This worked instantly, and I was able to list directories on the apfs volume. The tool states that it supports apfs volume encryption, but this volume clearly was not encrypted, so I was not able to test that feature. 

root@zorin:~# ls -l /mnt/mac/
total 0
drwxrwxr-x 2 root root   0 Jan 19  2018 Applications
drwxr-xr-x 2 root root   0 Jan 19  2018 Library
drwxr-xr-x 2 root root   0 Jun 20  2012 Network
drwxr-xr-x 2 root root   0 Jan 19  2018 System
drwxr-xr-x 2 root root   0 Jun 20  2012 Users
drwxr-xr-x 2 root root   0 Jun 20  2012 Volumes
drwxr-xr-x 2 root root   0 Jan 19  2018 bin
drwxrwxr-t 2 root root   0 Jun 20  2012 cores
dr-xr-xr-x 2 root root   0 Jun 20  2012 dev
lrwxr-xr-x 1 root root   0 Mar 18  2018 etc -> private/etc
dr-xr-xr-x 2 root root   0 Aug  9  2012 home
-rw-r--r-- 1 root root 313 Oct  5  2017 installer.failurerequests
dr-xr-xr-x 2 root root   0 Aug  9  2012 net
drwxr-xr-x 2 root root   0 Mar 18  2018 private
drwxr-xr-x 2 root root   0 Jan 19  2018 sbin
lrwxr-xr-x 1 root root   0 Mar 18  2018 tmp -> private/tmp
drwxr-xr-x 2 root root   0 Jan 19  2018 usr
lrwxr-xr-x 1 root root   0 Mar 18  2018 var -> private/var
drwxr-xr-x 2 root root   0 Mar 18  2018 vm
root@zorin:~#

Listing directories is of course an excellent starting point, but ultimately I need to find out if that data can actually be read. I formatted a second USB stick to use the exfat filesystem. Then I turned to my trusty old friend rsync to copy data from apfs to the exfat volume. rsync is a great way to back up data but especially to resume backing up data when you need to kill the process somewhere along the way.

After some time I killed the process and validated that I could actually open some files on another Mac. That turned out good, so now it is syncing all the data using rsync.

The only issue I ran into when using apfs from linux, is that the du command did not return any real values for directory/files sizes. Zero everywhere. Not sure if it is an apfs issue or a linux filesystem driver issue.