Windows file encryption

Discussion in 'Windows XP / Older OS' started by markmadras, Sep 11, 2010.

  1. markmadras

    markmadras MDL Novice

    Apr 14, 2010
    27
    0
    0
    A very silly person I know has done a reinstall of windows and therefore lost his original log in account:rolleyes:. This has made it impossible to open a lot of very important encrypted files. Is there some backdoor method of getting into these files.

    Your help would be most appreciated:)
     
  2. Anakunda

    Anakunda MDL Senior Member

    Feb 6, 2010
    264
    9
    10
    there's only chance to decrypt EFS encrypted files having backed up full EFS encrypting certificate including private key.
    then it's possible to import this cert to different windows account and use it to decrypt encrypted files from other account
     
  3. Deb_Rider

    Deb_Rider MDL Senior Member

    Aug 21, 2010
    417
    66
    10
    #3 Deb_Rider, Sep 11, 2010
    Last edited: Sep 11, 2010
    in what way the file was encripted,that is important...
    is that done by using any software???????
    is yes, which sofware??



    thw way that "anakunda" guy mentioned may help u....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. markmadras

    markmadras MDL Novice

    Apr 14, 2010
    27
    0
    0
    Thanks for the rapid replies. As far as I know the key and cert' was not saved. The encryption was done with windows own built in facility.
     
  5. urie

    urie Moderator
    Staff Member

    May 21, 2007
    8,644
    3,003
    300
    What are you talking about key and certificate is this windows 7 ? or are you just talking about windows XP logon password ?
     
  6. markmadras

    markmadras MDL Novice

    Apr 14, 2010
    27
    0
    0
    Hi Urie, the encryption was done with Windows XP Pro. Perhaps Anacunda would be kind enough to explain what the key and certs are directly relating to.

    This topic was raised on another forum so I am simply investigating to see if there is a solution, purely to help someone in a fix. As I only have XP home edition I can't even use the encryption system to see what it does so I am scratching around in the dark.
     
  7. markmadras

    markmadras MDL Novice

    Apr 14, 2010
    27
    0
    0
    Thanks for that Anakunda. Trouble is with this is that the original sign in account has been lost due to a re-install of winXP.

    Is there a work around that can break in to the encryted files or somehow recover the original account.
     
  8. Anakunda

    Anakunda MDL Senior Member

    Feb 6, 2010
    264
    9
    10
    not, unless you have exported personal certificate (.pfx) or get back working that account under which the files were turned encrypted, ie. from system backup. if there was such a backdoor, file encryption would lose it's sense

    for the next time it is a good idea among the first things after new windows installation to export presonal certificate in the most complete form and save it to safe and reliable place
     
  9. twohawks

    twohawks MDL Novice

    Sep 20, 2010
    2
    0
    0
    Hi... while I do not have time to delve into the particulars (sorry, dealing with my own disaster recovery right now and stumbled upon your question), it is possible, if you can retrieve a backup copy of the old registry. In the old user's reg is a list of, umm.. hashes.. I cannot remember off the top, but you may need the old cert folders from the old profile as well....
    This is going to seem a bit terse, but search the net for
    efs user registry copy recover

    ...umm, if I can think of the rest I will post it, but essentially, I restored my keys from a practically totally lost HD (majorly swiss cheesed) in January by retrieving an old registry and injecting the appropriate keys into the reg-users section under a new user I made with the same password. I remember gaining some access, however, I later used a method including merging keys info from the old user's cert folders (from the old profile) as well. I gained access to everything without having the backup certificates or recovery agent.

    So my point is... it can be done, and it is obscurely documented on the net.
    I had to look for weeks.

    If/when I get out of the jam I am in I will post details (from my hopefully recovered PC ;^)

    Good luck... and please let us know if your continues, and how it progresses.

    Sorry for the bleak-ass post. I hope it provides a little hope, though, if nothing else... Keep searching. My experience in January was nothing short of devastating, and the subsequent recovery of almost everything after a month's work an absolute miracle.

    Good luck.
    TwoHAwks
     
  10. twohawks

    twohawks MDL Novice

    Sep 20, 2010
    2
    0
    0
    Regarding the efs thing... I briefly revisited some bookmarks I recovered and can add a couple comments...
    1) There are professional services available for recovering efs'd files. Although efs is fairly water-tight, a professional service can try to decode components in the filestream of an encrypted file for retrieving the two keys needed for decrypting files from the sytem in question. Its probably costly, but its worth mentioning the services are out there (and information is on the net as to how to do it - not for the faint of heart or inexperienced).

    2) To expand a little on something I referenced in my first post, but again-without getting into the details (which you can search for yourself)... one of the problems with efs recovery is if the drive becomes non-bootable there is seemingly no way to retrieve the efs files because it requires being able to log onto that system. Well there is a work-around for this...

    - first, if you reinstalled the system such as the OP mentioned, the most important first thing to do is to try to perform a deep recovery from that drive... if you did not format it you may be able to recover the hives off the drive, as well as the crypto folders from the old user's directory. If you can, you have a good chance for getting the files decrypted; if not, then the only way is using method #1.

    - the things you need are the machine keys from the old installation and the crypto files from the old user's profile, and lastly, you need to know or get the old user's login username and password

    - the idea then is to create the same user profile on any computer, then add the crypto files, then you need to adjust the registry for adding the machinekeys from the old machine to the one you are working on.
    Machine keys may be able to be added within the filesystem instead...

    Anymonday... that's a loose reference to a possible way to do it. You have to research and understand how the machinekeys and crypto files/directories come into play for managing efs... and you should be able to figure it out from there ;^)

    I hate to say it, but if you are less than an expert either you will not be able to figure it out and do it yourself, or it will end up in grey hair and heart murmers.

    But it can be done ;^)

    3) If you can gain access to aforementioned materials if may be possible to emplo the use of a product called "Advanced EFS Data Recovery". Of course, prior to redoing the system AEFS is a great tool for efs recovery.

    =================
    Now, not to leave this totally hanging in thin air...
    Here are three links to some interesting information that should help one begin in their search on this
    Since I am new here and cannot yet post links, I have removed the typical prefixing...
    ehow.com/how_4739473_operating-system-files-still-intact.html
    beginningtoseethelight.org/efsrecovery/
    derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2008-07/msg00170.html

    Good luck ;^)
    TwoHawks
     
  11. markmadras

    markmadras MDL Novice

    Apr 14, 2010
    27
    0
    0
    Twohawks, thank you very much for taking the time to explain all this and providing the links.