Decrypting files if certs and keys were not backed up?

[Bill Fuller]

I have a laptop with a failed video card. This card was specific to the
laptop and no longer available, so I am unable to log on. However, the hard
drive is fine, including system files, etc.



Unfortunately, I have some encrypted files in my documents folder that I
forgot were encrypted and I am unable to decrypt them without logging on. I
did not back up the certs and keys prior to the video failure.



Is there any way to get the security stuff I need off the drive and decrypt
these files? (I tried, for example, copying the Windows files to one of the
boot partitions in a dual boot VM machine where one of the boot partitions
was loaded with a generic copy of Windows XP, hoping to be able to log on
there. however, startup failed (driver incompatibility, no doubt).

 

[Patrick Keenan]

I have a laptop with a failed video card. This card was specific to the
laptop and no longer available, so I am unable to log on. However, the hard
drive is fine, including system files, etc.



Unfortunately, I have some encrypted files in my documents folder that I
forgot were encrypted and I am unable to decrypt them without logging on.
I did not back up the certs and keys prior to the video failure.



Is there any way to get the security stuff I need off the drive and
decrypt these files?

The short answer is no, unless you log on.

(I tried, for example, copying the Windows files to one of the boot
partitions in a dual boot VM machine where one of the boot partitions was
loaded with a generic copy of Windows XP, hoping to be able to log on
there. however, startup failed (driver incompatibility, no doubt).

You must not attempt to re-install windows or make any changes to the OS.
This will almost certainly prevent you from ever regaining access.

I would suggest that you step back, try to find someone somewhere with the
same system, install your drive there, and decrypt the files. That's
about your only chance for recovery.

HTH
-pk

 

[Bill Fuller]

The short answer is no, unless you log on.


You must not attempt to re-install windows or make any changes to the OS.
This will almost certainly prevent you from ever regaining access.

I would suggest that you step back, try to find someone somewhere with the
same system, install your drive there, and decrypt the files. That's
about your only chance for recovery.

Bummer. It is a five year old Toshiba laptop and I have looked everywhere
for one... or the card. No luck, so far. Sure would be nice if I could copy
security files and use my original password.

 

[Pegasus \(MVP\)]

Bummer. It is a five year old Toshiba laptop and I have looked everywhere
for one... or the card. No luck, so far. Sure would be nice if I could
copy security files and use my original password.

Copying the files is no great problem but unless you have the
certificates, you won't be able to decrypt the files on a different
machine.

 

[jorgen]

I have a laptop with a failed video card. This card was specific to the
laptop and no longer available, so I am unable to log on. However, the hard
drive is fine, including system files, etc.

Unfortunately, I have some encrypted files in my documents folder that I
forgot were encrypted and I am unable to decrypt them without logging on. I
did not back up the certs and keys prior to the video failure.

Is there any way to get the security stuff I need off the drive and decrypt
these files? (I tried, for example, copying the Windows files to one of the
boot partitions in a dual boot VM machine where one of the boot partitions
was loaded with a generic copy of Windows XP, hoping to be able to log on
there. however, startup failed (driver incompatibility, no doubt).

There are tools available that will do all the hard work of such a
recovery process. Elcomsoft has made some tools for this.

 

[VanguardLH]

I have a laptop with a failed video card. This card was specific to
the laptop and no longer available, so I am unable to log on.
However, the hard drive is fine, including system files, etc.

Unfortunately, I have some encrypted files in my documents folder
that I forgot were encrypted and I am unable to decrypt them without
logging on. I did not back up the certs and keys prior to the video
failure.

Is there any way to get the security stuff I need off the drive and
decrypt these files? (I tried, for example, copying the Windows
files to one of the boot partitions in a dual boot VM machine where
one of the boot partitions was loaded with a generic copy of Windows
XP, hoping to be able to log on there. however, startup failed
(driver incompatibility, no doubt).

You had a failed laptop. We're supposed to guess what you have now?
If it is the same hardware, just move over the hard drive to your new
system. If the hardware is different, you could still try moving over
the hard drive and do a Repair (inplace) install of Windows to get it
to recognize the new hardware provided either Windows or you have all
the drivers for the new hardware. Then you boot using your old hard
drive, export the EFS certificate, and retrieve the contents of your
EFS-protocted files (and put encrypt them with something like
Truecrypt that doesn't rely on any external certs).

 

[VanguardLH]

You had a failed laptop. We're supposed to guess what you have now?
If it is the same hardware, just move over the hard drive to your
new system. If the hardware is different, you could still try
moving over the hard drive and do a Repair (inplace) install of
Windows to get it to recognize the new hardware provided either
Windows or you have all the drivers for the new hardware. Then you
boot using your old hard drive, export the EFS certificate, and
retrieve the contents of your EFS-protocted files (and put encrypt
them with something like Truecrypt that doesn't rely on any external
certs).

By the way, before trying to change the old hard drive by doing a
Repair install on it, add it as a slave drive and save an image of the
drive or partitions.

 

[Bill Fuller]

Copying the files is no great problem but unless you have the
certificates, you won't be able to decrypt the files on a different
machine.

There does seem to be a brute force way of doing this from the intact hard
drive described here:

http://www.beginningtoseethelight.org/efsrecovery/

However, it appears to be out of date. For example, locating the folder
"c:\documents and settings\foo\application data\microsoft\crypto\" for
private keys does not exist on my machine. I did find "c:\documents and
settings\foo\application data\microsoft\credentials\", which appears to be
the same. Also, all references to folders and files under "hklm\sam\sam\"
were noneexistant. This folder is empty.

 

[Bill Fuller]

There does seem to be a brute force way of doing this from the intact hard
drive described here:

http://www.beginningtoseethelight.org/efsrecovery/

However, it appears to be out of date. For example, locating the folder
"c:\documents and settings\foo\application data\microsoft\crypto\" for
private keys does not exist on my machine. I did find "c:\documents and
settings\foo\application data\microsoft\credentials\", which appears to be
the same. Also, all references to folders and files under "hklm\sam\sam\"
were noneexistant. This folder is empty.

Correction to above, I did find the missing files on the non-bootable drive.

What is salient about the link above is the following quote:

if you have following folders and their contents from the orginal install of
2k or xp - you can recover you efs data. knowledge of your password is also
required for this amount of data.

c:\documents and settings\foo\application data\microsoft\crypto\
- private keys

c:\documents and settings\foo\application data\microsoft\protect\
- locks your current password to your private keys

c:\documents and settings\foo\application data\microsoft\systemcertificates\
- public keys (not essential to be the orginal as another valid key can be
madeup)

this data maybe on an unbootable system, a backup, roaming profile or
currently on the system, either in the file system or in the free space.