Lead Image © Sgursozlu, Fotolia.com

Lead Image © Sgursozlu, Fotolia.com

macOS file recovery and security


Article from ADMIN 67/2022
macOS on-board tools and third-party applications can help prevent the loss of files and make security and backup your first priority.

If data loss under macOS is the result of defective hard drives, you need to adopt a structured approach for file recovery. Since macOS 10.15, the operating system has separated the system from the data, wherein macOS creates one volume for the system and one for data. Both storage locations use the APFS filesystem. Users only have read permissions for the system volume, which does not impose any restrictions on the user when working. At the same time, however, this provides better protection for the system. However, you do need to take this into account when recovering data and be careful when using recovery programs.

Additionally, access to files and folders by third-party apps is restricted (see the "Security and Privacy" box). The protected directories include Documents , Desktop , the iCloud drive, and Downloads . Furthermore, apps are not allowed to access external drives without permission. Another protection is that Gatekeeper in macOS checks whether apps are digitally signed and originate from the App Store. Starting in version 10.15, the system repeats this test regularly – not just when first launched.

Security and Privacy

Before I go into detail about the individual methods for dealing with recovering data on macOS, note that in System Preferences | Security & Privacy under the General tab, the Allow apps download from option usually should have only the App Store item selected. However, you will not be able to use some of the tools presented here if this is the case. To install these programs, you can enable App Store and identified developers now, and then change the settings back when you're done.

If you use a data recovery program and read this hard drive, you could aggravate the problem. If data has been lost because of a defective hard drive, the first step is to stop using the system. If it is clear that the hard drive is causing the trouble but is still generally working, it can be useful to make a complete copy of the disk (e.g., with Clonezilla [1]) before starting data recovery measures. After booting the Mac, the system can create an image of the disk; only then does it make sense to try to recover the data with data recovery tools.

Restore Data with On-Board Tools

Like Windows, macOS has a recycle (Trash) bin from which users can recover data. If synchronization with iCloud is activated in the settings on the Mac, then accidentally deleted data can be partially recovered from icloud.com on devices that are logged in with the same Apple account. These settings can be found in System Preferences | Apple ID | iCloud under the Options button (Figure 1).

Figure 1: macOS can sync data to iCloud for recovery of lost files.

Various volumes such as USB sticks have their own Trash bins. Some skill is required here because you can recover data from hidden files in the terminal. In the Finder, you can use the Cmd+Shift+. (period) keyboard shortcut to show hidden files.

The Library folder often still contains copies of deleted Microsoft Office documents. To open the Finder, press Cmd+Shift+G and enter the path (~\Library). Note that you have at least two Library folders: the system Library folder at the root level of your hard drive and the user Library folder under each user account on the system. The instructions here access the user folder. After that, search for the desired files in this folder. macOS also displays the Library folder when you hold down the Option key and click Go in the Finder menu. This is where you will find numerous files that can possibly help with file recovery.

To search for hidden files in the terminal, you can configure macOS to show hidden files there:

defaults write com.apple.Finder AppleShowAllFiles true
killall Finder

The false option lets you switch off the display again. On external data media, the Trash bin can be found as the .Trashes folder, where you might find further files that you can restore with the terminal.

Time Machine is available in macOS as a general data backup tool. The service can regularly and automatically back up entire volumes on Mac computers (Figure 2). Either external hard drives or network devices that support Time Machine serve as backup targets. Most network attached storage (NAS) devices can easily be linked to the backup software [2]. The TimeMachineEditor software [3] puts you in control of the various backups and schedules. The tool uses the basic Time Machine settings and does not need to run 24/7. Once you have adjusted the settings for Time Machine to your requirements, you can exit TimeMachineEditor.

Figure 2: Time Machine is a good choice for use as a macOS data backup tool.

Recovering Files with Tools

If the machine has neither a Time Machine backup nor an iCloud synchronization and the documents are also no longer available in the Trash, you have to rely on additional tools. One well-known example is Disk Drill [4]. However, the free version is limited and can only display files that can be recovered. For just under $90 you can acquire the Pro version, which lets you recover data. An alternative product is EaseUS Data Recovery Wizard for Mac [5], which can also search for recoverable files in the free version and then recover them with the commercial variant (~$90/month or $170 lifetime).

For both tools to work properly, you need to allow access to the disks in System Preferences | Security & Privacy . Click on the Privacy tab and scroll down the left pane to the bottom, where you can choose Full Disk Access . You'll have to click the lock to make changes; then, you can click the Plus symbol under the right window and add the application. After that, the tools can scan your disks.

If these two tools do not help you, the professional Recoverit [6] is a good alternative. Here, too, you can test free of charge whether deleted files can be recovered. If this works, you can also recover Microsoft Office documents with the commercial version.

The Free Mac Any Data Recovery software [7] offers a wizard to help you recover accidentally deleted files, even if they are no longer available in the Trash bin. After starting the tool, you can select which data you want to revive and where it should be placed. However, the tool requires some Mac experience, because you need to disable the System Integrity Protection feature in macOS. To do this, start the computer in the built-in recovery mode with the Cmd+R keyboard shortcut . In the recovery environment terminal, turn off the function and check the status with:

csrutil disable
csrutil status

After that, restart the Mac and you can use Free Mac Any Data Recovery (Figure 3). If the tool does not find data during the first scan, you can start an extended deep scan, which can take some time. The lower area shows the volume of data the system has found.

Figure 3: Data recovery with Free Mac Any Data Recovery is a tad more complicated than with comparable tools; however, it rewards the user with superior results.

Once your work is done, you will want to re-enable the System Integrity Protection feature with

csrutil enable

If the built-in recovery operating system does not start, you can also download the required program from the web by starting the Mac in Internet recovery mode with the Cmd+Alt+R keyboard shortcut.

The last tool for data recovery I would like to introduce is PhotoRec [8]. It does not require any installation and starts from a USB stick. Working with the tool is a bit more complicated than with the others, but PhotoRec can often recover files where other programs fail.

To begin, unpack the download archive and launch PhotoRec. macOS blocks the program run by default, because the tool does not come from a verified developer. Therefore, you need to approve execution in System Preferences | Security & Privacy under the General tab. PhotoRec needs to run with root privileges in macOS. Double-clicking the file will open the Terminal and wait for you to enter your password; otherwise, you can run the program with sudo in the terminal. Once the tool is running, select the hard drive and the type of partition table from which you want to recover data.

Creating a Bootable USB Stick

A bootable USB stick is helpful to ensure that no data needs to be downloaded off the web when reinstalling macOS and the installation is performed locally. As a bonus, this tool is also good for data recovery, because it lets you recover data, even without a working Internet connection. The USB stick should have a capacity of at least 16GB. To start, delete the original data from the stick with Disk Utility. As the format, use Mac OS Extended (Journaled) and the scheme GUID Partition Table . Choose a name, (e.g., USB ). You will need this name when you create the stick in Terminal:

sudo /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/createinstallmedia --volume /Volumes/<my Volume>/ --nointeraction
sudo /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/createinstallmedia --volume /Volumes/USB/ --nointeraction

If the macOS installation does not work properly during a restore, you can restart the Mac by holding down the power button for 10 seconds. At this point, it is important that you unplug all external devices from the Mac, if possible. Alternatively, reset the System Management Controller (SMC) [9], which especially helps with driver problems. Resetting the parameter RAM and the non-volatile RAM (NVRAM) can also help with problems [9].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=