EFS Encryted Folder - Recovery Help needed

  • Thread starter Thread starter TechnoWiz
  • Start date Start date
T

TechnoWiz

I have two HDD's on my system. Primary HDD has WinXP Pro
installed. Second HDD contains all my data including My
Documents etc. also backup files for my billing system
etc.
The data directory on the second HDD was encrypted using
my logon profile (TechnoWiz) and XP's EFS (Select
directory - properties - advanced - encrypt including
folders/files/subfolders.) I did not export the key at
the time.

My primary HDD died and became unrecoverable. I have
installed new version of XP and set up new accounts.

I am unable to access my data files in the encrypted
folders and most frustrating is that I have an Image file
of my original HDD using Acronis TruImage also stored
within the encrypted data folder. There is even a copy of
my original registry which I exported on the 1st of May
when the image was created. It is only now that I have
found that the backup folder on my 2nd HDD was also
encrypted inadvertently so I cannot use the backup image.

Is there any way I can decrypt the folder, or even the
image file which I can then use to recreate my original
boot drive and I should then be able to get access to my
data?

Am I able to send someone a copy of the encrypted
registry (.reg) file somehow? If you can decrypt it, it
may have the original key data for decoding my data files
in it that you could return to me. (I'm desperate to get
my billing data back !!).


Regards
TechnoWiz
 
Gosh...I don't think so.That's the idea of encryption-not
even the C.I.D/F.B.I. can unencrypt it...but I could be
mistaken.

Sadie
 
Things do not sound good Techno Wiz.
As you do not have the EFS cert/key from and export,
the machine was not in an uplevel domain (?), and
you have no way to restore the old system to bootability,
and finally, you do not have a complete backup of the
profile of the encrypting account taken at a recent time
(any you know the password of the account at that time),
you seem to only have one option.
(Pay attention to that list above, as any one of those
will give you an option that might work out.)

An that is third-party data recovery firms that claim to
sometimes be able to cut through the mess. Basically
you pay (big time) by the hour for them to try, and you
do not receive a guarantee for any success.
 
Sadie,

Well even if the FBI or the CID cannot decrypt this, it is
a very good bet that the NSA can, with or without the
original FEK.

The NSA can decrypt _anything_ encrypted by commercial
encryption software. Otherwise, the software vendor (in
this case, Microsoft) would never have received Dept of
Commerce approval to distribute it.

The government generally imposes a delay in approving
encrytion technology for marketing or export until they
have had a chance to determine a method to defeat that
encryption on a reliable basis.

For absolute certainty, multi-pass using dissimiliar
encrytion algorithms is the only way to be sure that _no
one_, including the NSA, can gain access to your data.
Using Microsoft's EFS alone will stop any casual hacker /
cracker. But the fact that Microsoft ever received Dept of
Commerce approval to sell / distribute this encryption
technology at all indicates that the NSA has already
broken it.

Naturally, this is my opinion, and has no more credibility
than I do :-).

Happy hunting.

Opti_mystic_69
 
That is hard to say.
A few years ago, a laptop was recovered from AQ.
It had Windows 2000 and 40 bit encryption.
It took a sizeable bank of computers a few weeks to decrypt.
The article I had has since long disappeared.
It is currently at 256 bit assuming Service Pack 1 installed.
What technology has changed in that time is not really public known,
but 256 bit is a tremendous jump from 40 bit.
With the resources and time it can be broken.
But how much resources...10, 100, 1000 etc computers?
1 year, 10 years, 100 years etc?

I would also like to see your reference for:
"The government generally imposes a delay in approving encryption
technology for marketing or export until they have had a chance to
determine a method to defeat that encryption on a reliable basis."
There used to be a 40 bit limit for export, but that ended a while
back.
 
Many thanks for the reply, you are surely correct. It
would have been nice if MS had noted in the docs on using
their "easy" file and folder EFS that if the system got
toasted, an exported key would be the only way to recover
data in circumstances like this.

I found the help and method needed to export keys,
unintuitive and bothersome, certainly not easy for the
casual home user of XP Pro. Adding snapins to a
management console to get to export keys is a challenge
to start with.

I have, of course, now exported my brand new key and
stored it on a CD for future use should a similar
disaster occur. I think I'll refrain from using EFS
anyway.

It's interesting to note that I can decrypt the folders
in my data drive using my new credentials, just not the
files within - go figure....

Cheerz
Steve Carter

TechnoWiz
 
Steve;
What you could do is create a folder with unimportant documents.
Practice recovering data in a situation where data loss is a non
issue.
Become proficient with all aspects of encryption.
 
It's interesting to note that I can decrypt the folders
in my data drive using my new credentials, just not the
files within - go figure....
Click to expand...
EFS actually does not encrypt folders.
Windows marks folders so that files stored there will
default to being encrypted.

MS has augmented the documents significantly but
regrettably has told us that they cannot find a way
that is free from side-effects to alter the code for
EFS so that key export is forced on the use at first
use, or at least a big red warning message is.
casual home user of XP Pro. Adding snapins to a
management console to get to export keys is a challenge
to start with.
Click to expand...
MS believes Home edition is for the casual Home user.
The Certificates admin tool can be used to export the
cert/key pair without building a custom MMC.
 
Jupiter,

I have no reference for my statement. I was expressing an
opinion, not attempting to postulate facts.

Opti_mystic_69
 
Back
Top