The previous methods assumed that once read, the data was usable. That's no longer true: encryption has become the norm, and on many devices, repairing the device is no longer enough to read its content. Modern recovery must work with security — without ever bypassing it illegitimately.
1 · Storage encryption
Three major families show up daily:
- BitLocker (Windows) — volume encryption, unlockable with the password or recovery key (often tied to the Microsoft account or TPM).
- FileVault (macOS) — full-disk encryption, tied to the login password and, on recent Macs, the Secure Enclave.
- LUKS / VeraCrypt — cross-platform software encryption, unlockable with the passphrase.
In every case, hardware recovery (repairing a drive, imaging an SSD) yields encrypted data. Decryption is only possible with the legitimate secret: password or recovery key. Without it, the data stays noise — which is exactly the point of encryption.
2 · Mobile & the chain of trust
Smartphones push this logic to the extreme. On iPhone, the Secure Enclave is a coprocessor that holds the keys and binds encryption to the processor: the memory and processor form an inseparable pair. This is why, during a CPU swap, we transplant both together — separating one from the other would destroy the ability to decrypt.
On Android, file-based encryption (FBE) and modules like Samsung Knox also bind the keys to the hardware and unlock code. Mobile recovery therefore consists of repairing the hardware to enable access, then letting the legitimate user unlock with their code. This is the culmination of the Smartphone chapter of the Guide.
3 · The ethical line
One essential point separates a serious lab from scams: we don't bypass device security. We don't "break" encryption, don't unlock an iPhone without its passcode, don't bypass an account. This refusal isn't a disguised technical limit: it's a guarantee. The day you recover your data, you also want to be sure no one else could. Our role stops at making the hardware readable for its legitimate owner.
4 · Legal forensics
In a legal setting (expertise, investigation, litigation), recovery becomes evidence. It then follows additional requirements, already introduced in the Diagnosis chapter:
- Integrity — SHA-256 hash computed at acquisition, proving non-alteration.
- Traceability — documented chain of custody per ISO/IEC 27037, seals, timestamped log.
- Reproducibility — work on a copy, never the original, so a third party can verify.
These guarantees make the difference between data merely "found" and evidence admissible in court.
5 · Post-ransomware restoration
A special case now common: ransomware encrypts the files of a server or NAS. Here the encryption is hostile, and the route isn't to break it but to bypass it through priority in time: many attacks ignore the read-only snapshots of Btrfs/ZFS. By restoring a snapshot predating the attack, we recover the healthy state — often without paying a ransom. The method is developed in the RAID & NAS chapter.
Never pay as a reflex: nothing guarantees a return, and an offline backup (see part VII) remains the best insurance.