EFS private key on slaved drive

[Jeremy]

I have an ecrypted "My Documents" folder on an unbootable
drive. The profile still lies on the drive someplace and
I know the account's password. I have the drive slaved.
I have tried using ELCOMSOFT's Advanced EFS Data Recovery
software and I gave it the username and password of the
profile. It finds the private key but is still unable to
decrypt. The slaved drive was running WinXP with all
latest updates on it. What can I do to rectrieve the
ecrypted folder from this drive?

 

[Torgeir Bakken (MVP)]

I have an ecrypted "My Documents" folder on an unbootable
drive. The profile still lies on the drive someplace and
I know the account's password. I have the drive slaved.
I have tried using ELCOMSOFT's Advanced EFS Data Recovery
software and I gave it the username and password of the
profile. It finds the private key but is still unable to
decrypt. The slaved drive was running WinXP with all
latest updates on it. What can I do to rectrieve the
ecrypted folder from this drive?

Hi

You could see if the content in this link could help you:

http://www.beginningtoseethelight.org/efsrecovery/


--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx

 

[Jeremy Rabalais]

I looked at the link and it states "you will need a user
account of the same user and machine number as the
orginal. check this orginal folder name: c:\documents and
settings\%username%\application
data\microsoft\crypto\rsa\s-1-5-21-1078081533-1606980848-
854245398-1003". I can't access this as the %username%
folder is what's encrypted. Also, the original drive has
XP service pack 1 installed, but the one I'm booting off
of doesn't have any service packs on it. Could this be
the reason ELCOMSOFT's software would not decrypt the
private key even with the password supplied. Thanks a
bunch for helping out, I don't know what else to do at
this point.

On another note, I never explicitly encrypted the folder,
I just checked off the checkbox in XP to make the folder
private from other users. Doesn't anyone think that
Windows should at least warn you when it's doing this so
you can know to backup your private key?

 

[Drew Cooper [MSFT]]

XP RTM will be able to unlock an XPSP1 file's symmetric key, but won't
understand the original symmetric algorithm. If that were the case for you,
you could "decrypt", but you'd see garbage.

The way this works is that there are a series of keys, one encrypting the
next, until finally there is the symmetric key to encrypt a given file. A
encrypts B encrypts C encrypts D etc.
Form what you wrote, I suspect that you have something more like A encrypts
B encrypts C encrypts A - sounds like there's been a cycle introduced. If
so, Elcomsoft (or Microsoft Support or anyone else) won't be able to help
you.

We don't recommend encrypting the "Application Data" folder. Its files have
the system attribute by default, which would normally block EFS from
encrypting them.

Making a folder "private" does not encrypt it. Are you sure the files are
encrypted?

 

[DeFace]

I basically have the same problem using advanced efs recovery I can fin
the master and private key. but dont know how to utilize to decrypt. W
moved domains and my logon changed since then its buggered if you o
anyone could help it would be much appreciated


-
DeFac

 

[DeFace]

*I basically have the same problem using advanced efs recovery I ca
find the master and private key. but dont know how to utilize t
decrypt. We moved domains and my logon changed since then it
buggered if you or anyone could help it would be much appreciated. *

Sorry forgot to say using advanced efs recovery decrypts the file but
still cant open or access it. I know the demo only decrypts the firs
512 bytes. So is their any other way


-
DeFac

 

[Drew Cooper [MSFT]]

If your domain admins were EFS-savvy, they exported the default recovery
certificate and private key before the domain rename. If that's the case,
they can recover your files.

If it's possible to rejoin the old domain, that's your next easiest way to
decrypt the files.

Beyond that, you can use a 3rd party tool or call Microsoft product support.