ENCRYPTED DATA RECOVERY

[Guest]

I have a somewhat complicated situation so please bear with me as I explain this problem. I am working with XP Pro and have 2 HDDs, a 40gig & a 160giger. In the 160 giger I have data etc where some of it was encrypted. I had made the decision to do a clean install of XP on the 40giger since I just got the XPSP2 RC1 with RC2 forthcoming. Disconnected the 160giger and proceeded from there.
After installing XP when I attempted to open up those files, the message I got was ACCESS DENIED! I was completely baffled. So now I have come into the realm of that thing called Certificates and when I do a DETAILS view on a particular file it shows my old user name and a Thumb Certitificate. Reading up more I find out I should attempt to install a Recovery Agent [sounds like the Matrix here now] to decrypt my files.
However I am getting mixed messages and since I am no expert in this stuff, I am having this grave feeling that since the old XP install is no longer around the certificate that were stored in THAT registry are no longer available to open up my files.
Is this about right or do I have it all wrong and maybe I can breathe easy and recover my data? HELP!
If so, PLEASE provide me with a step-by-step solution since some of these files I have read assume you know everything about security and certificates!

 

[Carey Frisch [MVP]]

Before you encrypt anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255742

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------------------


|I have a somewhat complicated situation so please bear with me as I explain this problem. I am working with
XP Pro and have 2 HDDs, a 40gig & a 160giger. In the 160 giger I have data etc where some of it was encrypted.
I had made the decision to do a clean install of XP on the 40giger since I just got the XPSP2 RC1 with RC2
forthcoming. Disconnected the 160giger and proceeded from there.
| After installing XP when I attempted to open up those files, the message I got was ACCESS DENIED! I was
completely baffled. So now I have come into the realm of that thing called Certificates and when I do a
DETAILS view on a particular file it shows my old user name and a Thumb Certitificate. Reading up more I find
out I should attempt to install a Recovery Agent [sounds like the Matrix here now] to decrypt my files.
| However I am getting mixed messages and since I am no expert in this stuff, I am having this grave feeling
that since the old XP install is no longer around the certificate that were stored in THAT registry are no
longer available to open up my files.
| Is this about right or do I have it all wrong and maybe I can breathe easy and recover my data? HELP!
| If so, PLEASE provide me with a step-by-step solution since some of these files I have read assume you know
everything about security and certificates!
| --
| ENAS

 

[Jupiter Jones [MVP]]

You need the original certificates.
The certificates can not be recreated.
The Recovery Agent needs to be designated beforehand.
Your data is most likely gone for good.

See this link for ways to prevent this in the future:
http://www3.telus.net/dandemar/encrypt.htm
If it is an Ownership issue and not an encryption issue, Step one
should work.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/

I have a somewhat complicated situation so please bear with me as I

explain this problem. I am working with XP Pro and have 2 HDDs, a
40gig & a 160giger. In the 160 giger I have data etc where some of it
was encrypted. I had made the decision to do a clean install of XP on
the 40giger since I just got the XPSP2 RC1 with RC2 forthcoming.
Disconnected the 160giger and proceeded from there.

After installing XP when I attempted to open up those files, the

message I got was ACCESS DENIED! I was completely baffled. So now I
have come into the realm of that thing called Certificates and when I
do a DETAILS view on a particular file it shows my old user name and a
Thumb Certitificate. Reading up more I find out I should attempt to
install a Recovery Agent [sounds like the Matrix here now] to decrypt
my files.

However I am getting mixed messages and since I am no expert in this

stuff, I am having this grave feeling that since the old XP install is
no longer around the certificate that were stored in THAT registry
are no longer available to open up my files.

Is this about right or do I have it all wrong and maybe I can

breathe easy and recover my data? HELP!

If so, PLEASE provide me with a step-by-step solution since some of

these files I have read assume you know everything about security and
certificates!

 

[Guest]

I guess this has become a VERY PAINFUL EXPERIENCE for me now. 20/20 hindsight I should have decrypted those folders or if I had known to have had a Recovery Agent beforehand I wold not be in this mess.
Man this really sucks! Let me ask you, is it futile to keep these files around in the hope that maybe something will come along that will be able to do some kind of reverse engineering?
--
ENAS

Before you encrypt anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255742

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------------------


|I have a somewhat complicated situation so please bear with me as I explain this problem. I am working with
XP Pro and have 2 HDDs, a 40gig & a 160giger. In the 160 giger I have data etc where some of it was encrypted.
I had made the decision to do a clean install of XP on the 40giger since I just got the XPSP2 RC1 with RC2
forthcoming. Disconnected the 160giger and proceeded from there.
| After installing XP when I attempted to open up those files, the message I got was ACCESS DENIED! I was
completely baffled. So now I have come into the realm of that thing called Certificates and when I do a
DETAILS view on a particular file it shows my old user name and a Thumb Certitificate. Reading up more I find
out I should attempt to install a Recovery Agent [sounds like the Matrix here now] to decrypt my files.
| However I am getting mixed messages and since I am no expert in this stuff, I am having this grave feeling
that since the old XP install is no longer around the certificate that were stored in THAT registry are no
longer available to open up my files.
| Is this about right or do I have it all wrong and maybe I can breathe easy and recover my data? HELP!
| If so, PLEASE provide me with a step-by-step solution since some of these files I have read assume you know
everything about security and certificates!
| --
| ENAS

 

[Carey Frisch [MVP]]

Advanced EFS Data Recovery v1.30
http://www.sharewareriver.com/product.php?id=2671

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

-------------------------------------------------------------------------------------

"XDA974" (e-mail address removed) wrote in message:

|I guess this has become a VERY PAINFUL EXPERIENCE for me now. 20/20 hindsight I should have decrypted those
folders or if I had known to have had a Recovery Agent beforehand I wold not be in this mess.
| Man this really sucks! Let me ask you, is it futile to keep these files around in the hope that maybe
something will come along that will be able to do some kind of reverse engineering?
| --
| ENAS

 

[Jupiter Jones [MVP]]

I have little doubt the technology will eventually be broken and the
average user will be able to regain access.
The question is how long? Days, Months, Years...

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/

I guess this has become a VERY PAINFUL EXPERIENCE for me now. 20/20

hindsight I should have decrypted those folders or if I had known to
have had a Recovery Agent beforehand I wold not be in this mess.

Man this really sucks! Let me ask you, is it futile to keep these

files around in the hope that maybe something will come along that
will be able to do some kind of reverse engineering?

 

[Guest]

I just had a thought. I had saved some data that was encrypted as well on a diskette and was able to replace the folder that wouldn't allow me off the HDD. Can I use the certificates off the diskette to open up other files? Or something to that effect or am I barking up the wrong tree?
Thanks for the fast response though. I can have my heartache early instead of tomorrow morning.
--
ENAS

Before you encrypt anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255742

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------------------


|I have a somewhat complicated situation so please bear with me as I explain this problem. I am working with
XP Pro and have 2 HDDs, a 40gig & a 160giger. In the 160 giger I have data etc where some of it was encrypted.
I had made the decision to do a clean install of XP on the 40giger since I just got the XPSP2 RC1 with RC2
forthcoming. Disconnected the 160giger and proceeded from there.
| After installing XP when I attempted to open up those files, the message I got was ACCESS DENIED! I was
completely baffled. So now I have come into the realm of that thing called Certificates and when I do a
DETAILS view on a particular file it shows my old user name and a Thumb Certitificate. Reading up more I find
out I should attempt to install a Recovery Agent [sounds like the Matrix here now] to decrypt my files.
| However I am getting mixed messages and since I am no expert in this stuff, I am having this grave feeling
that since the old XP install is no longer around the certificate that were stored in THAT registry are no
longer available to open up my files.
| Is this about right or do I have it all wrong and maybe I can breathe easy and recover my data? HELP!
| If so, PLEASE provide me with a step-by-step solution since some of these files I have read assume you know
everything about security and certificates!
| --
| ENAS

 

[D.Currie]

I have a somewhat complicated situation so please bear with me as I

explain this problem. I am working with XP Pro and have 2 HDDs, a 40gig & a
160giger. In the 160 giger I have data etc where some of it was encrypted. I
had made the decision to do a clean install of XP on the 40giger since I
just got the XPSP2 RC1 with RC2 forthcoming. Disconnected the 160giger and
proceeded from there.

After installing XP when I attempted to open up those files, the message I

got was ACCESS DENIED! I was completely baffled. So now I have come into
the realm of that thing called Certificates and when I do a DETAILS view on
a particular file it shows my old user name and a Thumb Certitificate.
Reading up more I find out I should attempt to install a Recovery Agent
[sounds like the Matrix here now] to decrypt my files.

However I am getting mixed messages and since I am no expert in this

stuff, I am having this grave feeling that since the old XP install is no
longer around the certificate that were stored in THAT registry are no
longer available to open up my files.

Is this about right or do I have it all wrong and maybe I can breathe easy and recover my data? HELP!
If so, PLEASE provide me with a step-by-step solution since some of these

files I have read assume you know everything about security and
certificates!
Depending on how important your files are, you might have a chance by using
recovery software to recreate your old boot drive. I've been able to recover
files off of drives that had been formatted and overwritten, but I never
tried getting the old OS to boot; usually I'm just after a few files, and
the software I have is able to "see" several layers of data on the drive.

Do a search for data recovery software, and look for software that says it
can recover after a format and after files were overwritten.

 

[Guest]

Actually no luck in that idea since I did a DoD scrubbing of the bloody drive, not knowing what kind of a mess I got myself into after the fact.
Carey Frisch [MVP] suggested this Advanced EFS Data Recovery v1.30. Have you had it work for you, are you aware of it?

--
ENAS

I have a somewhat complicated situation so please bear with me as I

explain this problem. I am working with XP Pro and have 2 HDDs, a 40gig & a
160giger. In the 160 giger I have data etc where some of it was encrypted. I
had made the decision to do a clean install of XP on the 40giger since I
just got the XPSP2 RC1 with RC2 forthcoming. Disconnected the 160giger and
proceeded from there.

After installing XP when I attempted to open up those files, the message I

got was ACCESS DENIED! I was completely baffled. So now I have come into
the realm of that thing called Certificates and when I do a DETAILS view on
a particular file it shows my old user name and a Thumb Certitificate.
Reading up more I find out I should attempt to install a Recovery Agent
[sounds like the Matrix here now] to decrypt my files.

However I am getting mixed messages and since I am no expert in this

stuff, I am having this grave feeling that since the old XP install is no
longer around the certificate that were stored in THAT registry are no
longer available to open up my files.

Is this about right or do I have it all wrong and maybe I can breathe easy and recover my data? HELP!
If so, PLEASE provide me with a step-by-step solution since some of these

files I have read assume you know everything about security and
certificates!
Depending on how important your files are, you might have a chance by using
recovery software to recreate your old boot drive. I've been able to recover
files off of drives that had been formatted and overwritten, but I never
tried getting the old OS to boot; usually I'm just after a few files, and
the software I have is able to "see" several layers of data on the drive.

Do a search for data recovery software, and look for software that says it
can recover after a format and after files were overwritten.

 

[Guest]

I am running SP2 RC1, and according to the posting it says it supports SP1. Wonder if this software will have the ability to recover? Do you have experience with it?

 

[Guest]

As I acknowledge the painful thing that has just happened, besides saving these folders in hope that soon I can recover them, what information should I decipher at least so as I seek the "key" to open these files I'll know what I am looking for?
Also, in an unrelated matter is it possible to export data off MP3s? For example, song, artist etc and bring into Excel? Thanks all, in spite of the fact it was dark news for me.

 

[Torgeir Bakken \(MVP\)]

Actually no luck in that idea since I did a DoD scrubbing of the
bloody drive, not knowing what kind of a mess I got myself into
after the fact. Carey Frisch [MVP] suggested this Advanced EFS
Data Recovery v1.30. Have you had it work for you, are you aware
of it?

Hi

From "Advanced EFS Data Recovery v1.30" readme.txt:

<quote>
Known problems and limitations

- The program can decrypt protected files only if encryption keys
(at least, some of them) are still exist in the system and have
not been tampered.

....

</quote>


As you have no access to the profile folder for the user that encrypted
the files anymore, the encryption keys are not available to the
"Advanced EFS Data Recovery" program, and it will not be able to
decrypt any files for you.