Recovering Data From An Old Encrypted Time Machine Backup

Recovering data from a backup should be an easy thing to do. At least this is what you expect. Yesterday I had a problem which should have been easy to solve, but it was not. I hope this blog post can help others who face the same problem.

The problem

1. I had an encrypted Time Machine backup which was not used for months
2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS
3. I needed files from this backup
4. After running out of time I only had SSH access to the macOS, no GUI

The struggle

By default, Time Machine is one of the best and easiest backup solution I have seen. As long as you stick to the default use case, where you have one active backup disk, life is pink and happy. But this was not my case.

As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.

Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.

YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.

YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.

Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.

The solution

Finally, a blog post provided the real solution - hdiutil.
The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.

To mount any NAS via SMB:

mount_smbfs afp://<username>@<NAS_IP>/<Share_for_backup> /<mountpoint>

To mount a Time Capsule share via AFP:

mount_afp afp://any_username:password@<Time_Capsule_IP>/<Share_for_backup> /<mountpoint>

And finally this command should do the job:

hdiutil attach test.sparsebundle -readonly

It is nice that you can provide read-only parameter.

If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:

printf '%s' 'CorrectHorseBatteryStaple' | hdiutil attach test.sparsebundle -stdinpass -readonly

Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device

And now, you can find your backup disk under /Volumes. Happy restoring!

Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.

More information

1. Pentest Tools Windows
2. Kik Hack Tools
3. Pentest Tools Port Scanner
4. Best Hacking Tools 2019
5. Free Pentest Tools For Windows
6. Hack Tools Github
7. Pentest Tools Free
8. Bluetooth Hacking Tools Kali
9. Physical Pentest Tools
10. Hacking Tools For Windows
11. Pentest Tools Nmap
12. Hacking Tools For Pc
13. Hacking Tools Github
14. Hacker Tools Online
15. Hack Tools
16. Hacker Tools For Windows
17. Hack Tools Download
18. Tools 4 Hack
19. Pentest Tools Subdomain
20. Pentest Tools For Mac
21. Hack Tools For Games
22. Hacker Tools 2020
23. Nsa Hack Tools
24. Hacker Tools Free Download
25. Pentest Tools Find Subdomains
26. Install Pentest Tools Ubuntu
27. Hacking Tools 2019
28. Hacking App
29. Hacking Tools Online
30. Pentest Tools Online
31. What Are Hacking Tools
32. Pentest Tools Website Vulnerability
33. Hacking Tools For Pc
34. New Hacker Tools
35. Hacker Tools Hardware
36. How To Hack
37. Pentest Tools
38. Usb Pentest Tools
39. Hacking Tools Hardware
40. Hacker Tools Github
41. Beginner Hacker Tools
42. Wifi Hacker Tools For Windows
43. Pentest Recon Tools
44. Blackhat Hacker Tools
45. Hacker Search Tools
46. New Hacker Tools
47. Hack Tool Apk
48. Termux Hacking Tools 2019
49. Android Hack Tools Github
50. Growth Hacker Tools
51. Blackhat Hacker Tools
52. Pentest Tools Github
53. Nsa Hack Tools Download
54. Underground Hacker Sites
55. Pentest Tools Bluekeep
56. Hack Tools Online
57. Hacker Techniques Tools And Incident Handling
58. Hacking Tools Github
59. Hacker Tool Kit
60. Hacker Tools 2019
61. Hacking Tools Windows
62. Pentest Tools Bluekeep
63. Pentest Tools Alternative
64. New Hack Tools
65. Hack Rom Tools
66. Hack Tools Mac
67. Hacker Tools 2020
68. How To Make Hacking Tools
69. Hak5 Tools
70. Hacking Tools Usb
71. Hacking Tools For Pc
72. Hacking Tools Software
73. Hacking Tools Pc
74. Hack Tools
75. Pentest Recon Tools
76. Hacker Tools Online
77. Hacking Tools Mac
78. Pentest Tools Android
79. Easy Hack Tools
80. Underground Hacker Sites
81. Pentest Reporting Tools
82. Nsa Hack Tools Download
83. Hacker Tools Hardware
84. Hackers Toolbox
85. Usb Pentest Tools
86. Best Hacking Tools 2019
87. Best Pentesting Tools 2018
88. Pentest Tools Download
89. Hacking Tools Usb
90. Ethical Hacker Tools
91. Pentest Tools Open Source
92. Hack Rom Tools