Hello everyone! First time on the new forum! I'll cut straight to the chase.
A couple of months ago I unlocked the bootloader on my HTC M8 which wiped my data partition. Problem is I had formatted the micro SD card as adoptable storage. It contains some photos that I would prefer not to lose but is now encrypted.
I then used extundelete, foremost and photorec to see if I can recover the deleted encryption key (.key file) but to no avail. My problem is that I don't believe these tools are looking for .key files and although photorec's documentation says it can recover .key files, there is no option of .key extensions under [File Opt] when I run it.
Am I doing something wrong? Any other ideas on how to decrypt the microSD card? Thank you all in advance
Just to clarify, you are able to make the image of mmcblk0, it is called image.dd. You then mount the image via a loop device to something like /mnt/myrecoveryattempt. At that point you use your extundelete/foremost/photorec software to see what files can be recovered. It's a that point that the applications don't allow you to search for .key files. Is that correct?
Other questions. When you mount the image, does df -T show that the file system is an ext file system? What happens if you cd to the mount point and do ls -la? Do we see any files that can just be copied off?
Hello there! I was able to make an image of mmcblk0 and testdisk was indeed able to recognize the partitions. I did not mount the image.dd, I just straight used the utilities on the image file. Aren't all android 6.0 filesystems ext4? My device is an HTC One M8. I was counting on photorec's documentation saying that it can recover .key files but there was no such option under file options. Should I try to loop mount the image file? Kind of a noob here, just now trying to learn linux.
EDIT: I am now going to try and mount the image file and test your other questions.
EDIT 2: I run df -t dev/loop0 (directory showed on file manager) or df -t mnt/disk (where I mounted the image) and got: "no file systems processed" as a message Trying to navigate to mnt/disk shows me all of the android folders
MIND YOU: This is the android file system, not the microSD card, so every file can be copied off
Well, if you can navigate to /mnt/disk and see all of the android directories, then the mounting was successful. We're happy there.
Photorec doesn't seem to be working for us. You also mentioned extundelete. What does the process look like for recovering files with that utility? What command(s) are you using, what are you expecting, what are you getting?
Hello, sorry for the late reply. The command I ran was extundelete --restore-all image.dd . I ran it straight on the image.dd without mounting it. It recovered stuff from folders like backup, dalvik-cache, lost+found, media, misc and data. File types are .bak, .tmp, .pset, and some binaries. Unfortunately, extundelete did not generate a /misc/vold folder inside the RECOVERED_FILES folder, meaning it did not find any deleted files there. When I run extundelete it says: NOTICE: Extended attributes not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss.
It says that if it's unmounted, it was not done properly and I should run fsck before continuing. I just pressed y to continue
As it runs, it says unable to restore inode xxxxxx (directory): Space has been reallocated. But there is no such message including misc/vold
what android version are you running? android 5+ encryption key is stored in part of the partition table and is encrypted with the users password so you dont have to reencrypt all of the data. [1]
I have no clue how to recover the encryption key but this is info i know.
No unfortunately I could not recover the key. What I did was back up the entire drive and maybe I will be able to force decrypt it in the future with more powerful hardware. I didn’t have anything critical stored so I can just sit on it for now.
Thanks for the reply. Through research I am finding the same… At some point we will be able to decrypt 128-bit encryption but right now without the ability to grab that key from the factory reset phone I do not believe there is any way to restore the data until then… I plan on doing the same, store the files away and wait. It was full of pictures my wife took so she is bumbed. In a way though, it will be like a digital time capsule.
