Can I get a hash of the recovery partition on OSX to ensure it hasn't been tampered with?












0















I didn't have physical access to my machine (2008 macbook unibody 5,1, el capitan) and found out it had been tampered with (files destroyed on unencrypted hd). The missing files were 'only' artwork/writings and basic operation seems to still work. I was going to reinstall everything but realized about the recovery partition and boot process being able to be altered. I was wondering if I could get an md5 hash of the recovery/hidden partition and compare against a known good copy. I don't use time machine and haven't written to the recovery partition that I know of.



EDIT: I can obtain an md5 hash of my own, but I am not sure if it should be unique/alterable, and if so I need a known good hash to compare.






macos osx-el-capitan







share|improve this question

























  • I would think that Apple would bake the same recovery partition, but to test it you would have to access the same mac model with the same OS X version to compare hashes between the two. If you are really worried, I recommend purchasing a retail disk of OS X and wiping all partitions of the disk and re-installing. This way you wouldn't have to worry about hashes, and is the easiest option if you want to be fully sure its safe.

    – QuickishFM
    Jan 18 at 21:26











  • @QuickishFM, Yeah I am trying to call some tech shops to see if they will give me a hash off the same model. I thought Apple might supply but I can't find it online. It occurred to me while working on this, that even though I have been the only owner of this machine and purchased it new, there is pretty much no hope of ever even being able to even speak to an actual Apple employee.

    – crazyfox
    Jan 18 at 21:32











  • I'll be honest, this is the first case of hashing a partition that I've seen, even though its understandable. To find out if the partitions are all the same, you'll need hashes from different machines (to make sure its not unique to each model), if they are willing to co-operate at all. If you can confirm that a retail DVD of Mac OS X will replace the recovery partition, then I think its the best way to get it back to 'vanilla' recovery partition, unless you want evidence that it was tampered with.

    – QuickishFM
    Jan 18 at 21:38











  • I don't think the hash of the entire volume will match, even between "identical" computers running the same macOS version -- the volume includes things like file timestamps, that are likely to depend on e.g. the exact time the system was installed (& the recovery partition created). How about starting from Internet Recovery (Option-Command-R instead of just Command-R)? That way, you're booting directly from an Apple server. You could then completely wipe the internal HD (including Recovery) and reinstall from scratch.

    – Gordon Davisson
    Jan 19 at 1:52
















0















I didn't have physical access to my machine (2008 macbook unibody 5,1, el capitan) and found out it had been tampered with (files destroyed on unencrypted hd). The missing files were 'only' artwork/writings and basic operation seems to still work. I was going to reinstall everything but realized about the recovery partition and boot process being able to be altered. I was wondering if I could get an md5 hash of the recovery/hidden partition and compare against a known good copy. I don't use time machine and haven't written to the recovery partition that I know of.



EDIT: I can obtain an md5 hash of my own, but I am not sure if it should be unique/alterable, and if so I need a known good hash to compare.






macos osx-el-capitan







share|improve this question

























  • I would think that Apple would bake the same recovery partition, but to test it you would have to access the same mac model with the same OS X version to compare hashes between the two. If you are really worried, I recommend purchasing a retail disk of OS X and wiping all partitions of the disk and re-installing. This way you wouldn't have to worry about hashes, and is the easiest option if you want to be fully sure its safe.

    – QuickishFM
    Jan 18 at 21:26











  • @QuickishFM, Yeah I am trying to call some tech shops to see if they will give me a hash off the same model. I thought Apple might supply but I can't find it online. It occurred to me while working on this, that even though I have been the only owner of this machine and purchased it new, there is pretty much no hope of ever even being able to even speak to an actual Apple employee.

    – crazyfox
    Jan 18 at 21:32











  • I'll be honest, this is the first case of hashing a partition that I've seen, even though its understandable. To find out if the partitions are all the same, you'll need hashes from different machines (to make sure its not unique to each model), if they are willing to co-operate at all. If you can confirm that a retail DVD of Mac OS X will replace the recovery partition, then I think its the best way to get it back to 'vanilla' recovery partition, unless you want evidence that it was tampered with.

    – QuickishFM
    Jan 18 at 21:38











  • I don't think the hash of the entire volume will match, even between "identical" computers running the same macOS version -- the volume includes things like file timestamps, that are likely to depend on e.g. the exact time the system was installed (& the recovery partition created). How about starting from Internet Recovery (Option-Command-R instead of just Command-R)? That way, you're booting directly from an Apple server. You could then completely wipe the internal HD (including Recovery) and reinstall from scratch.

    – Gordon Davisson
    Jan 19 at 1:52














0












0








0








I didn't have physical access to my machine (2008 macbook unibody 5,1, el capitan) and found out it had been tampered with (files destroyed on unencrypted hd). The missing files were 'only' artwork/writings and basic operation seems to still work. I was going to reinstall everything but realized about the recovery partition and boot process being able to be altered. I was wondering if I could get an md5 hash of the recovery/hidden partition and compare against a known good copy. I don't use time machine and haven't written to the recovery partition that I know of.



EDIT: I can obtain an md5 hash of my own, but I am not sure if it should be unique/alterable, and if so I need a known good hash to compare.






macos osx-el-capitan







share|improve this question
















I didn't have physical access to my machine (2008 macbook unibody 5,1, el capitan) and found out it had been tampered with (files destroyed on unencrypted hd). The missing files were 'only' artwork/writings and basic operation seems to still work. I was going to reinstall everything but realized about the recovery partition and boot process being able to be altered. I was wondering if I could get an md5 hash of the recovery/hidden partition and compare against a known good copy. I don't use time machine and haven't written to the recovery partition that I know of.



EDIT: I can obtain an md5 hash of my own, but I am not sure if it should be unique/alterable, and if so I need a known good hash to compare.






macos osx-el-capitan




macos osx-el-capitan






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 18 at 20:17







crazyfox

















asked Jan 18 at 18:39









crazyfoxcrazyfox

113




113













  • I would think that Apple would bake the same recovery partition, but to test it you would have to access the same mac model with the same OS X version to compare hashes between the two. If you are really worried, I recommend purchasing a retail disk of OS X and wiping all partitions of the disk and re-installing. This way you wouldn't have to worry about hashes, and is the easiest option if you want to be fully sure its safe.

    – QuickishFM
    Jan 18 at 21:26











  • @QuickishFM, Yeah I am trying to call some tech shops to see if they will give me a hash off the same model. I thought Apple might supply but I can't find it online. It occurred to me while working on this, that even though I have been the only owner of this machine and purchased it new, there is pretty much no hope of ever even being able to even speak to an actual Apple employee.

    – crazyfox
    Jan 18 at 21:32











  • I'll be honest, this is the first case of hashing a partition that I've seen, even though its understandable. To find out if the partitions are all the same, you'll need hashes from different machines (to make sure its not unique to each model), if they are willing to co-operate at all. If you can confirm that a retail DVD of Mac OS X will replace the recovery partition, then I think its the best way to get it back to 'vanilla' recovery partition, unless you want evidence that it was tampered with.

    – QuickishFM
    Jan 18 at 21:38











  • I don't think the hash of the entire volume will match, even between "identical" computers running the same macOS version -- the volume includes things like file timestamps, that are likely to depend on e.g. the exact time the system was installed (& the recovery partition created). How about starting from Internet Recovery (Option-Command-R instead of just Command-R)? That way, you're booting directly from an Apple server. You could then completely wipe the internal HD (including Recovery) and reinstall from scratch.

    – Gordon Davisson
    Jan 19 at 1:52



















  • I would think that Apple would bake the same recovery partition, but to test it you would have to access the same mac model with the same OS X version to compare hashes between the two. If you are really worried, I recommend purchasing a retail disk of OS X and wiping all partitions of the disk and re-installing. This way you wouldn't have to worry about hashes, and is the easiest option if you want to be fully sure its safe.

    – QuickishFM
    Jan 18 at 21:26











  • @QuickishFM, Yeah I am trying to call some tech shops to see if they will give me a hash off the same model. I thought Apple might supply but I can't find it online. It occurred to me while working on this, that even though I have been the only owner of this machine and purchased it new, there is pretty much no hope of ever even being able to even speak to an actual Apple employee.

    – crazyfox
    Jan 18 at 21:32











  • I'll be honest, this is the first case of hashing a partition that I've seen, even though its understandable. To find out if the partitions are all the same, you'll need hashes from different machines (to make sure its not unique to each model), if they are willing to co-operate at all. If you can confirm that a retail DVD of Mac OS X will replace the recovery partition, then I think its the best way to get it back to 'vanilla' recovery partition, unless you want evidence that it was tampered with.

    – QuickishFM
    Jan 18 at 21:38











  • I don't think the hash of the entire volume will match, even between "identical" computers running the same macOS version -- the volume includes things like file timestamps, that are likely to depend on e.g. the exact time the system was installed (& the recovery partition created). How about starting from Internet Recovery (Option-Command-R instead of just Command-R)? That way, you're booting directly from an Apple server. You could then completely wipe the internal HD (including Recovery) and reinstall from scratch.

    – Gordon Davisson
    Jan 19 at 1:52

















I would think that Apple would bake the same recovery partition, but to test it you would have to access the same mac model with the same OS X version to compare hashes between the two. If you are really worried, I recommend purchasing a retail disk of OS X and wiping all partitions of the disk and re-installing. This way you wouldn't have to worry about hashes, and is the easiest option if you want to be fully sure its safe.

– QuickishFM
Jan 18 at 21:26





I would think that Apple would bake the same recovery partition, but to test it you would have to access the same mac model with the same OS X version to compare hashes between the two. If you are really worried, I recommend purchasing a retail disk of OS X and wiping all partitions of the disk and re-installing. This way you wouldn't have to worry about hashes, and is the easiest option if you want to be fully sure its safe.

– QuickishFM
Jan 18 at 21:26













@QuickishFM, Yeah I am trying to call some tech shops to see if they will give me a hash off the same model. I thought Apple might supply but I can't find it online. It occurred to me while working on this, that even though I have been the only owner of this machine and purchased it new, there is pretty much no hope of ever even being able to even speak to an actual Apple employee.

– crazyfox
Jan 18 at 21:32





@QuickishFM, Yeah I am trying to call some tech shops to see if they will give me a hash off the same model. I thought Apple might supply but I can't find it online. It occurred to me while working on this, that even though I have been the only owner of this machine and purchased it new, there is pretty much no hope of ever even being able to even speak to an actual Apple employee.

– crazyfox
Jan 18 at 21:32













I'll be honest, this is the first case of hashing a partition that I've seen, even though its understandable. To find out if the partitions are all the same, you'll need hashes from different machines (to make sure its not unique to each model), if they are willing to co-operate at all. If you can confirm that a retail DVD of Mac OS X will replace the recovery partition, then I think its the best way to get it back to 'vanilla' recovery partition, unless you want evidence that it was tampered with.

– QuickishFM
Jan 18 at 21:38





I'll be honest, this is the first case of hashing a partition that I've seen, even though its understandable. To find out if the partitions are all the same, you'll need hashes from different machines (to make sure its not unique to each model), if they are willing to co-operate at all. If you can confirm that a retail DVD of Mac OS X will replace the recovery partition, then I think its the best way to get it back to 'vanilla' recovery partition, unless you want evidence that it was tampered with.

– QuickishFM
Jan 18 at 21:38













I don't think the hash of the entire volume will match, even between "identical" computers running the same macOS version -- the volume includes things like file timestamps, that are likely to depend on e.g. the exact time the system was installed (& the recovery partition created). How about starting from Internet Recovery (Option-Command-R instead of just Command-R)? That way, you're booting directly from an Apple server. You could then completely wipe the internal HD (including Recovery) and reinstall from scratch.

– Gordon Davisson
Jan 19 at 1:52





I don't think the hash of the entire volume will match, even between "identical" computers running the same macOS version -- the volume includes things like file timestamps, that are likely to depend on e.g. the exact time the system was installed (& the recovery partition created). How about starting from Internet Recovery (Option-Command-R instead of just Command-R)? That way, you're booting directly from an Apple server. You could then completely wipe the internal HD (including Recovery) and reinstall from scratch.

– Gordon Davisson
Jan 19 at 1:52










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1395870%2fcan-i-get-a-hash-of-the-recovery-partition-on-osx-to-ensure-it-hasnt-been-tampe%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1395870%2fcan-i-get-a-hash-of-the-recovery-partition-on-osx-to-ensure-it-hasnt-been-tampe%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Plaza Victoria

Image
Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l...
Read more

Brian Clough

Image
Brian Clough Datos personales Nombre completo Brian Howard Clough Apodo(s) Old Big 'Ead, Cloughie [ 1 ] ​ Nacimiento Middlesbrough, Inglaterra, Reino Unido 21 de marzo de 1935 Nacionalidad(es) Fallecimiento Derby, Reino Unido 20 de septiembre de 2004 (69 años) Altura 1,78 [ 1 ] ​ metros Carrera Deporte Fútbol Debut deportivo 1955 (Como jugador) 1965 (Como entrenador) (Middlesbrough F. C. (Como jugador) Hartlepool United F. C. (Como entrenador) ) Posición Delantero Goles en clubes 269 [ 2 ] ​ Retirada deportiva 1964 (Como jugador) 1993 (Como entrenador) (Sunderland A. F. C. (Como jugador) Nottingham Forest (Como entrenador) ) Carrera internacional Part. 2 [editar datos en Wikidata] Brian Howard Clough , OBE [ 3 ] ​ (Middlesbrough, Inglaterra, Reino Unido, 21 de marzo de 1935 – Derby, Inglaterra, Reino Unido, 20 de septiembre de 2004) fue un jugador y entrenador británico de fútbol. Es conocido por...
Read more

Cáceres

Image
Para otros usos de este término, véase Cáceres (desambiguación). Cáceres Municipio y ciudad Bandera Escudo Collage de Cáceres Cáceres Ubicación de Cáceres en España. Cáceres Ubicación de Cáceres en la provincia de Cáceres. País  España • Com. autónoma  Extremadura • Provincia  Cáceres • Partido judicial Cáceres Ubicación 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 Coordenadas: 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 • Altitud 457 [ 1 ] ​ msnm (mín.:211 [ 2 ] ​, máx.:708 [ 2 ] ​) Superficie 1750,33 km² Núcleos de población Cáceres Estación Arroyo-Malpartida Rincón de Ballesteros Valdesalor Fundación 34 a. C. Población 96 068 hab. (2018) • Densidad 54,8 hab./km² Gentilicio Cacereño/a [ 3 ] ​ Código postal 10001-10005, 10195 Alcaldesa (2015) María Elena Nevado del Campo [ 4 ] ​ Presupuesto 69.045.004€ [ 5 ] ​  (año ...
Read more