Decrypting files

[Guest]

Hi there,

Here is the story: I had some encrypted files on my external hard drive. The
file system was NTFS5 and the files were encrypted using EFS under Windows XP
Pro SP2. Unfortunately, MFT got damaged or lost so the partition remained
visible but inaccessible. After that, I recovered all the files and
directories using recovery software from that drive to a different location,
but now the files that were previously encrypted are still encrypted in fact,
but their "Encrypt attribute" under properties/ advanced attributes, is
cleared. I have full access to them even from another computer without the
certificate originally used for encryption, so they are not seen as encrypted
by the Win XP, but their content is so they are useful.

Is it possible to decrypt these files somehow? Of course I have the
private/public key originally used for their encryption. They "just" lost
their encrypt attribute during low level access to the drive and recovery
process they went through?
Is it possible to set the encrypt attribute manually?


Thank you.

 

[Carey Frisch [MVP]]

Before encrypting anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------

:

| Hi there,
|
| Here is the story: I had some encrypted files on my external hard drive. The
| file system was NTFS5 and the files were encrypted using EFS under Windows XP
| Pro SP2. Unfortunately, MFT got damaged or lost so the partition remained
| visible but inaccessible. After that, I recovered all the files and
| directories using recovery software from that drive to a different location,
| but now the files that were previously encrypted are still encrypted in fact,
| but their "Encrypt attribute" under properties/ advanced attributes, is
| cleared. I have full access to them even from another computer without the
| certificate originally used for encryption, so they are not seen as encrypted
| by the Win XP, but their content is so they are useful.
|
| Is it possible to decrypt these files somehow? Of course I have the
| private/public key originally used for their encryption. They "just" lost
| their encrypt attribute during low level access to the drive and recovery
| process they went through?
| Is it possible to set the encrypt attribute manually?
|
|
| Thank you.

 

[Jupiter Jones [MVP]]

It sounds like the data is permanently gone.
If you have a chance, Step 3 on this link may be it:
http://www3.telus.net/dandemar/encrypt.htm

 

[Guest]

Hi,

Yes I do have backups of private/public keys used for encryption of these
files. But this is not the issue now. My encrypted files are not seen as
encrypted by the OS because they "lost" their encrypt attribute. I don't know
how to explain it better because I'm not a pro on this but they are fully
accessible even without certificate but their contents are scrambled.
I don't know if something like that exists, but I would need some utility
that would be able to import the private/public keys used for encryption,
which I have as I stated above, and then run the decryption process on the
files using the algorithm found in the key.

I can not decrypt them normal way, of course, because the Encrypt attribute
is not checked obviously.

-Dusan

 

[Guest]

Thank you for your reply. I tried advanced efs data recovery soft, but it
could not find any encrypted files of course, since my files have their
Encrypt attribute unchecked. Is there a tool that would be able to import the
keys for their encryption/decryption and then run the decrypt algorythm found
in the key on the file(s)?

-Dusan

 

[Jupiter Jones [MVP]]

If step 3 on that link is not a viable option, your data is gone.
My understanding is that Microsoft uses a similar technique to what you
already tried.

 

[Guest]

I'm not sure I understand all the details of what happened to your drive and
what you've done, but maybe this will help. If the contents of the files
appears scrambled, the data is still encrypted (or appears to be). Here's a
couple of suggestions:

1. Import the backup of your EFS certificate/key. When you backed up your
key, it created a .pfx file. Just run that .pfx file (or double-click it).
That will start the import wizard which will install the certificate to your
current Personal certificates store.

2. Be sure you're current OS is WXP PRO with SP1 or SP2--so that the
encryption algorithm is the same as what you had before.

3. You say you "recovered" those files from the old drive to a different
location. That location should be on your local computer--not a remote
share--where you are importing your certificate/key.

Thanks.
Pat