Encrypted Files from a formatted drive

[Steven L Umbach]

Without a RA the only way would be if the user that created the EFS files
had exported their EFS certificate/private key to a password protected .pfx
file for safekeeping for and event like this. Also if there is a copy of the
user's profile somewhere in a backup there also may be a way to extract the
user's private key from it but my guess is there is not from your
description of the scenario. There is no backdoor way to access EFS files.
If there are no user or RA private key available then the files are forever
gone. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS info
and best practices.

 

[Guest]

Files were encrypted on a disk from a computer that the drive has since been
formatted and no backups exist anymore. The files were created and stored on
an external drive. With the drive connected to a different machine, of
course, they cannot be opened. I realize that any account on this system is
not a recovery agent nor the account that created encrypted the files. But
I'm guessing a way exists to recover the files, just hopeing you guys/gals
might have an idea of how to do it?

Hopefully I'm not S.O.L on this one

Thanks

 

[Shenan Stanley]

Files were encrypted on a disk from a computer that the drive has
since been formatted and no backups exist anymore. The files were
created and stored on an external drive. With the drive connected to
a different machine, of course, they cannot be opened. I realize
that any account on this system is not a recovery agent nor the
account that created encrypted the files. But I'm guessing a way
exists to recover the files, just hopeing you guys/gals might have an
idea of how to do it?

Hopefully I'm not S.O.L on this one

You might try third party products - but my initial guess would be S.O.L.

For example...
http://www.elcomsoft.com/aefsdr.html

 

[Jupiter Jones [MVP]]

Without the necessary files, your data is effectively gone.
EFS is secure and there is no back door which would render EFS weak.
See the links at the bottom of this page to help prevent this in the future:
http://www3.telus.net/dandemar/encrypt.htm

 

[Segovia]

I realize that any account on this system is
not a recovery agent nor the account that created encrypted the files.

Without the key you are totally hosed. You might as well accept that the
data is gone...

However you did say that the drive containing the key was formatted. That
in itself does not destroy the data. If you reinstalled the OS after that,
and all the data files, then you might be out of luck since it's likely
that the clusters containing the key have been overwritten by now.

 

[Guest]

I get errors when trying to start a new post so I’ll just tag onto this one.

I’m having trouble with my EFS files that I’ve had since October 2003.
After reading some other posts, I think I know what’s wrong but before I
spend any more time on this I want to make sure. Here are the details.

In the fall of 2004 we bought a new Dell laptop and I moved/copied EFS data
from our Gateway to the Dell by network connection and USB drive. I don’t
remember if I moved any keys from the Gateway to the Dell, but I must have or
maybe just created a new key automatically when I turned on the Dell
encryption.


In October 2005 I reformatted our Gateway C partition and re-installed XP.
At the same time I exported the private key(s) from the Dell and imported
them on the Gateway. Then I created a D partition on our Dell and
“moved/copied†the data there from the C partition. I must have turned on
the encryption for the D partition folders then, but I’m not sure. Then I
reformatted and re-installed XP on the Dell C partition. I don’t remember
creating any new keys, but I think I re-imported the key(s) from the Gateway
back to the Dell (but can’t remember). All of the files that I wanted to use
opened fine after the XP install.

1-1/2 weeks ago our Dell HD stopped (I’m sending it to a data recovery
company.) I just installed XP on a new HD in the Dell. I restored my data
from backup DVDs. The data was backed up keeping EFS on it. I have three
private keys from the Gateway that I imported to the Dell with the new HD.
When I try to open the files, I get an access denied message.

Here is the key info I imported to the Dell.


name@SOLO (thumbprint starts with 48; valid from Friday, October 03, 2003
10:21:45 PM) (within a day of when I first started using EFS)

name@DELL8600 (thumbprint starts with 5d; valid from Tuesday, October 05,
2004 3:41:50 AM) (about the time I started using the new Dell)

name@@GATEWAY-SOLO (thumbprint starts with 13; valid from Monday, August 29,
2005 4:01:22 PM) (the current computer name is “GATEWAY-SOLOâ€, but I don’t
know what this date relates to, maybe a computer name change?)


==============================
The files on my computer (that won’t open) have encryption details as follows:

name@DELL8600 (thumbprint starts with C6). I don’t know how to get the date.

I’m assuming that in October 2005 when I moved/copied the data on the Dell
from the C partition to the D partition that it was still related to the
name@DELL8600 key with a thumbprint starting with “5dâ€.

1) When I installed XP after the data move, is it possible that at that time
XP created a new key “name@DELL8600†with a thumbprint of C6? Otherwise, I
don’t know why all of my restore data has that thumbprint.

2) When I send the HD to get the data recovered, is there anything special I
need to let the company know?

3) Is the private key just another data file somewhere? If they can’t get
the private key, there isn’t much sense in retrieving the data.

==============================

 

[Guest]

moved to microsoft.public.windowsxp.security_admin
"Have key(s) for EFS files, still denied"

==============================