QueTek
  
  
Back to Cyrus's Blogs
Sparse bundle recovery

Hardware and RAID configuration

A single drive.

Problem:

The backup sparse bundle is no longer mounted.

Diagnosis:

  • To recover data from a sparse bundle, one must have the following data and info:
    • Encrypted data, stored in a collection of small files called "bands"
    • User password
    • Encryption and key wrapping methods
  • Locating the band files is easy because the HFS+ volume seems intact.
  • The encryption method and key are stored in the "token" file which serves as the header of the sparse bundle.
  • In this particular case, the encryption method is AES in Cipher Block Chaining (CBC) mode. Since it is in CBC mode, we also need to find the formula to compute the initialization vector (IV). The last and also the most important parameter is the encryption key.
  • It is known that the encryption key is encrypted using the 3-key Triple-DES cipher method. And the key to decrypt it is the passkey derived from the user's password.

Solution:

  • Use File Scavenger® to scan the drive and restore all band files and the token.
  • Compute the passkey (the salt and iteration values are taken from the token)

    pass-key = PBKDF2(salt, password, iteration)

  • Compute the encryption key (the initial vector IV and encrypted_keyblob are taken also from the token)

    master-key = 3DES-EDE(passkey, IV, encrypted_keyblob)

  • Use the master-key to decrypt the band files.
  • Combine all band files together and reconstruct the disk image. Since it is sparse, zeroes will be filled in the unused areas.
  • Finally, use File Scavenger® to scan the disk image and extract the user's data.

Result:

  • It is a complete recovery.
  • About 48 GB of data is restored. The directory structure is also reconstructed.


Back to Cyrus' Blogs