EFS + unbootable HDD help ...

[andersen_mikael]

Here's the deal:

1) HDD crashes, making it unbootable
2) It contains EFS encrypted files and I didn't backup keys

Yes, I know ... I'm a moron ... but not all hope is out and I'd like
any help ...

My hope is that:
1) I did make weekly backups and thus have the encrypted files
available.
2) Using Stellar's recovery tool I was (and still am) able to recover
virtually *all* files from the NTFS drive (haven't located a defect
file yet!!!) - accessing it from Explorer, makes the HDD make 'funny'
noises - like "I can't read anything", until it gives up and suggests
me to format

However recovering EFS encrypted files using Stellar is not possible
(they just contain garbage) and is not access controlled (thus not
marked green) - anyone knows of any tools that can recover EFS
encrypted files from a damaged disk??? (I've tried some different
tools, which all fails in scanning the HDD - only Stellar succeded
incl. Active Undelete, File Scavenger)

Now on to my recovery attempts ...

I first tried following the description at
http://www.beginningtoseethelight.org/efsrecovery/index.php by changing
the SID (the "blue text" description, but no luck - still access
denied).

Then it came to me ... at least I thought ... I'll simply recreate my
OS. Since I could recover all files:
1) I simply took an old HDD, made it primary drive, installed XP on it
(until first reboot).
2) I then made my (newly bought) replacement disc primary again and
booted on it (leaving the newly formatted disc as sec. disc).
3) Copied all recovered files to the just installed HDD (I first delete
the newly installed XP - both windows + docs. and settings folder and
then copied). I copied docs and settings + windows folder + selected
"program files" folders - made that HHD primary again and booted ...

And voila ... sign on dialog, logging in ... everything looks like
before - GREAT (was now able to easily export outlook express accounts
too, great!). But decrypt wont work ... still access denied (ownership
of files was claimed).

So I tried to encrypt a random file while watching the C:\Documents and
Settings\<user>\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-1957994488-179605362-725345543-1003
folder (and protect) - and immed. after the encrypt, a new file was
generated ... I'm baffled ... it's like it can't see the file(s)
already present - how/why can't it see the files already present?????

Then I noted that the files from the recovery didn't have the same
attributes set (wasn't marked as system file and wasn't hidden - which
file created in protect folder was when created), so perhaps Stellar
didn't recover them "correctly" ??

Can anyone help ? I seem to be stuck ...
1) Since I completely replaced the new XP installation with the
recovered one - and even running on the same physical machine - I can't
see how this could fail ... unless the key-files wasn't recovered
correctly by Stellar ... making the XP installation not recognize
them??

That'll put me back to my above question, about a (even better) tool,
which can extract both the latest versions of my encrypted files, along
with the correct EFS key files ?!
2) Did I miss someting in "restoring" my OS, which would make this
approach fail?

looking forward to your help ....

Sincerly

Mikael Andersen

 

[Guest]

Maybe put drive on other system and use that ones recover agent

 

[Jupiter Jones [MVP]]

Mikael;
You MUST have the original keys.
Simply reinstalling Windows even if the same name and password is used is
vastly insufficient.
If that worked, EFS would not be secure.
The site you used (beginningtoseethelight) is the most practical procedure.
For all practical purposes there is no hack or crack for EFS, except of
course time.
I imagine that in a few years or decades, today's EFS may be easily broken
by anyone with normal computer access---but not today.

I believe Microsoft uses a similar procedure as beginningtoseethelight, you
could try them, Step 3 on this page:
http://www3.telus.net/dandemar/encrypt.htm
You will still need access to the ORIGINAL keys.

Also see the links near the bottom of that page for ways to help prevent
this in the future.

You may have discovered why encryption is often called "The Delayed Recycle
Bin".

 

[andersen_mikael]

Hey Jupiter (and others)

But AFAICS I *do* have the original keys - at least I'm able to recover
all the files from the *original* installation - that is both
1) Documents and
Settings/<user>/ApplicationData/Microsoft/<crypto/protect/SystemCert's>
2) The different registry hives

So what makes you say that I don't have the original keys??

As for Jason' suggestion: AFAIU XP doesn't make the local administrator
(non-domain installation) a recovery agent? (or did I misunderstand
something?)

/Mikael

 

[Jeff Layman]

Here's the deal:

1) HDD crashes, making it unbootable
2) It contains EFS encrypted files and I didn't backup keys
(snip)

2) Using Stellar's recovery tool I was (and still am) able to recover
virtually *all* files from the NTFS drive (haven't located a defect
file yet!!!) - accessing it from Explorer, makes the HDD make 'funny'
noises - like "I can't read anything", until it gives up and suggests
me to format

In desperation - desperate measures.

You *might* just get the original HDD to operate correctly for a few
minutes, if that would be any help. Take it out and put it in the freezer
for an hour or two. Then replace it and boot as quickly as you can. Get
what files you can off it that you haven't been able to access yet with
Stellar. You can often repeat this a few times until the disk gives up
completely.

I have used this method to get data files off my original HDD which failed
with little warning (I didn't know then what the loud clicking signified -
now I do!).

 

[John Wunderlich]

(e-mail address removed) wrote in

But AFAICS I *do* have the original keys - at least I'm able to
recover all the files from the *original* installation - that is
both 1) Documents and
Settings/<user>/ApplicationData/Microsoft/<crypto/protect/SystemCer
t's> 2) The different registry hives

So what makes you say that I don't have the original keys??

The keys and certificate stored in the registry are themselves
encrypted with a combination of your old SID and your old password.
I'm afraid that unless you can get your old system to boot long enough
to log in and recover the keys, you're screwed. More info - See:

"Best practices for the Encrypting File System"
<http://support.microsoft.com/kb/223316/en-us>

Looking forward: next time you try to secure your system, consider the
freeware "Truecrypt". If you can recover a Truecrypt container file
and know the password then you have access (no hidden system
dependencies). You can also move your files between machines or access
them encrypted over a network.
<http://www.truecrypt.org>

HTH,
John

 

[mka848]

The keys and certificate stored in the registry are themselves

encrypted with a combination of your old SID and your old password.
I'm afraid that unless you can get your old system to boot long enough
to log in and recover the keys, you're screwed. More info - See:

"Best practices for the Encrypting File System"
<http://support.microsoft.com/kb/223316/en-us>

But AFAICS, I have the old system up and running - since I'm able to
copy *all* files
from original installation to a bootable HDD replacing the fresh
installation of XP.

At least I can't see how EFS is able to see that it's not the "old
system", but a "perfect copy" of the old system, only.

Looking forward: next time you try to secure your system, consider the
freeware "Truecrypt". If you can recover a Truecrypt container file
and know the password then you have access (no hidden system
dependencies). You can also move your files between machines or access
them encrypted over a network.
<http://www.truecrypt.org>

Will take a look, thx!

 

[Don.Cupp]

I don't think that you are actually succeeding in copying *all* the
files from your old system.