Sunday, January 21, 2024

Recovering Data From An Old Encrypted Time Machine Backup

Recovering data from a backup should be an easy thing to do. At least this is what you expect. Yesterday I had a problem which should have been easy to solve, but it was not. I hope this blog post can help others who face the same problem.


The problem

1. I had an encrypted Time Machine backup which was not used for months
2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS
3. I needed files from this backup
4. After running out of time I only had SSH access to the macOS, no GUI

The struggle

By default, Time Machine is one of the best and easiest backup solution I have seen. As long as you stick to the default use case, where you have one active backup disk, life is pink and happy. But this was not my case.

As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.


Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.


YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.

YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.

 Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.

The solution

Finally, a blog post provided the real solution - hdiutil.
The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.


To mount any NAS via SMB:
mount_smbfs afp://<username>@<NAS_IP>/<Share_for_backup> /<mountpoint>

To mount a Time Capsule share via AFP:
mount_afp afp://any_username:password@<Time_Capsule_IP>/<Share_for_backup> /<mountpoint>

And finally this command should do the job:
hdiutil attach test.sparsebundle -readonly

It is nice that you can provide read-only parameter.

If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:
printf '%s' 'CorrectHorseBatteryStaple' | hdiutil attach test.sparsebundle -stdinpass -readonly

Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device

And now, you can find your backup disk under /Volumes. Happy restoring!

Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.More info
  1. Hacking Tools Github
  2. Hacker Tools For Pc
  3. Hacking Apps
  4. Nsa Hacker Tools
  5. Hacking Tools For Beginners
  6. Hacking Tools 2020
  7. Hacker Tools 2019
  8. Hacker Tools Linux
  9. Pentest Tools For Windows
  10. Hacking Tools For Beginners
  11. Pentest Tools Bluekeep
  12. Hacker
  13. Hack Tools Mac
  14. Nsa Hack Tools Download
  15. Hacker Search Tools
  16. How To Hack
  17. Usb Pentest Tools
  18. Hacking Tools Kit
  19. Ethical Hacker Tools
  20. Tools 4 Hack
  21. Hacking Apps
  22. Hack Tool Apk No Root
  23. Hacker Tools Linux
  24. Hak5 Tools
  25. Easy Hack Tools
  26. Android Hack Tools Github
  27. Hacker Tool Kit
  28. Hacker Search Tools
  29. Hack And Tools
  30. Free Pentest Tools For Windows
  31. Hacker Techniques Tools And Incident Handling
  32. Pentest Tools Nmap
  33. Beginner Hacker Tools
  34. Top Pentest Tools
  35. Pentest Tools For Mac
  36. Pentest Tools For Windows
  37. Pentest Tools For Ubuntu
  38. Hacker Tools Mac
  39. Pentest Tools Download
  40. New Hacker Tools
  41. Best Hacking Tools 2019
  42. Pentest Tools Alternative
  43. Hacker Search Tools
  44. Hacker Tools Online
  45. Hacking Tools Usb
  46. Hacker Tool Kit
  47. Pentest Tools For Ubuntu
  48. Hacking Tools Github
  49. Hacking Tools For Pc
  50. What Is Hacking Tools
  51. Hack Tools Pc
  52. Easy Hack Tools
  53. Hacking Tools Online
  54. What Are Hacking Tools
  55. Hacking Tools 2020
  56. Pentest Tools For Windows
  57. Hacking Tools Name
  58. Tools 4 Hack
  59. Pentest Tools Url Fuzzer
  60. Hacker Tool Kit
  61. Tools Used For Hacking
  62. Usb Pentest Tools
  63. Hacker
  64. Pentest Automation Tools
  65. Underground Hacker Sites
  66. Hacking Tools Kit
  67. Pentest Tools Alternative
  68. What Are Hacking Tools
  69. Blackhat Hacker Tools
  70. Hacker Tool Kit
  71. Hacking Tools Pc
  72. Hacking Tools Usb
  73. Hacking Tools
  74. Hacking Tools Usb
  75. Android Hack Tools Github
  76. Hack Tools Mac
  77. New Hacker Tools
  78. Pentest Tools Review
  79. Hacker Tool Kit
  80. Hacker Techniques Tools And Incident Handling
  81. Hacker Tools Linux
  82. Pentest Tools Open Source
  83. Android Hack Tools Github
Posted by wear your heart out at 2:25 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)