Is it possible to decrypt EFS files without backup certificate

  • Thread starter Thread starter sunorain
  • Start date Start date
S

sunorain

A PC had Vista installed and one folder was encrypted by OS. This folder had
some thousand or so files.

Then Vista was reinstalled, with most old system files (including "Windows",
"Users" and "Documents" folders) deleted before reinstallation. Encrypted
folder left intact on HDD.

Is it possible to get files from encrypted folder somehow decrypted under
newly installed copy of Windows?

Username and password for Windows account used to encrypt folder are known.

Utilities like Elsomsoft's EFS recovery could not do much - when account
password have been supplied utility said that it can decrypt about 90 files
in total with no hint on why specifically these files can be decrypted and not
others.

(microsoft.public.security, microsoft.public.win2000.security,
microsoft.public.security.homeusers, microsoft.public.windows.file_system,
microsoft.public.windows.vista.security)
 
That is not true.

There maybe no software available to the public, but those files are
crack-able by Microsoft, Hard Drive Data recovery companies, and the
government.
 
None *one* data recovery company who can recover encrypted files without
the EFS certificate.

John
 
Not true

Just recently there was a case of a child pornographer who was released
because he would not decrypt a hard drive for the prosecution. Do you not
think that under these circumstances that if it could be done - it would
have been done?
 
Sure, it *can* be done. With enough computing power, and enough time.
Therein lies the rub.
 
And he gets to foot the supercomputer's utility bills for those few years.
:D
Maybe something like the SETI@home thing might do it a bit faster.
 
Richard said:
Give it to a super computer for a few years!

Uhm, this type of additional base security apparently relies upon other
aspects within the system and/or network, such as: strong user and
administration passwords; caching of credentials; IPSec; domain aspects;
DRA; and other system and network activities, found/used in conjunction
with it [I won't directly include hack tools], for the discussion.

Some related and/or historical information might be valuable:

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html

Re: looking for EFS weaknesses
http://lists.virus.org/forensics-0306/msg00005.html

Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
System (EFS)
http://technet.microsoft.com/en-us/library/cc749962.aspx

Default SYSKEY configuration compromises encrypting file system 13 May 2000
http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

Windows 2000 Known Vulnerabilities and Their Fixes - PDF
http://www.sans.org/reading_room/wh...000_known_vulnerabilities_and_their_fixes_185

EFS and File Recovery
http://www.informit.com/articles/article.aspx?p=19486

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/kb/255742

Data Protection and Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb457020.aspx

Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx

How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

EFS File Recovery - Asia Supplement
http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx

How to recover EFS encrypted file
http://www.petri.co.il/forums/showthread.php?t=1609

Vista Tutorial - Encrypted File System (EFS) Certificate Restore
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html

encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/

Encrypting File System
http://en.wikipedia.org/wiki/Encrypting_File_System

*What the OP apparently tried:
Advanced EFS Data Recovery
http://www.elcomsoft.com/aefsdr.html
Advantages and Disadvantages of EFS and effective recovery of encrypted
data [Whitepaper] - PDF
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf
[Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
data when it gets lost.
http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
John said:
None *one* data recovery company who can recover encrypted files without
the EFS certificate.

John

I think what was being alluded too, in part, was the know activities
presently occurring between Microsoft and Law enforcement, such as:

Microsoft and National White Collar Crime Center Make Digital Forensics
Tool Available to U.S. Law Enforcement Agencies
http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx

Microsoft denies handing law enforcement ‘backdoor’ keys
http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-keys/

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
MEB said:
I think what was being alluded too, in part, was the know activities
presently occurring between Microsoft and Law enforcement, such as:

Microsoft and National White Collar Crime Center Make Digital Forensics
Tool Available to U.S. Law Enforcement Agencies
http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx

Microsoft denies handing law enforcement ‘backdoor’ keys
http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-keys/

Members of the British government were blabbering about not being able
to decrypt BitLocked files... until someone reminded them that the very
thing that they were asking for would make *their* own encrypted files
accessible to any foreign entity who had such tools. Strangely enough
at that point the blabbering stopped...

John
 
MEB said:
Richard said:
Give it to a super computer for a few years!

Uhm, this type of additional base security apparently relies upon other
aspects within the system and/or network, such as: strong user and
administration passwords; caching of credentials; IPSec; domain aspects;
DRA; and other system and network activities, found/used in conjunction
with it [I won't directly include hack tools], for the discussion.

Some related and/or historical information might be valuable:

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html

Re: looking for EFS weaknesses
http://lists.virus.org/forensics-0306/msg00005.html

Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
System (EFS)
http://technet.microsoft.com/en-us/library/cc749962.aspx

Default SYSKEY configuration compromises encrypting file system 13 May 2000
http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

Windows 2000 Known Vulnerabilities and Their Fixes - PDF
http://www.sans.org/reading_room/wh...000_known_vulnerabilities_and_their_fixes_185

EFS and File Recovery
http://www.informit.com/articles/article.aspx?p=19486

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/kb/255742

Data Protection and Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb457020.aspx

Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx

How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

EFS File Recovery - Asia Supplement
http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx

How to recover EFS encrypted file
http://www.petri.co.il/forums/showthread.php?t=1609

Vista Tutorial - Encrypted File System (EFS) Certificate Restore
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html

encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/

Encrypting File System
http://en.wikipedia.org/wiki/Encrypting_File_System

*What the OP apparently tried:
Advanced EFS Data Recovery
http://www.elcomsoft.com/aefsdr.html
Advantages and Disadvantages of EFS and effective recovery of encrypted
data [Whitepaper] - PDF
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf
[Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
data when it gets lost.
http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf


None of the above deals with recovering encrypted files *without* the
EFS certificate. These discussions and tools simply deal with known
"best practices" when using EFS and how to use the Recovery Agent or
backup copies of the certificate to regain access to encrypted files.
Other discussions and tools deal with recovery of the certificate (not
files) on failing drives or on Windows installations that fail to start
or recovery of certificates deleted by user error. I think that the
bottom line is that maybe cryptologists with supercomputing power and
ample time might be able to recover these files but in reality without
the certificate for all intents and purposes the files are lost.

It is true that I could walk on the moon, but in reality it is most
unlikely that I ever will, the same goes for most all of us having any
hope of recovering encrypted files without the certificate, unless the
OP can recover his EFS certificate he has truly lost his encrypted files.

John
 
John said:
MEB said:
Richard said:
Give it to a super computer for a few years!

Uhm, this type of additional base security apparently relies upon other
aspects within the system and/or network, such as: strong user and
administration passwords; caching of credentials; IPSec; domain aspects;
DRA; and other system and network activities, found/used in conjunction
with it [I won't directly include hack tools], for the discussion.

Some related and/or historical information might be valuable:

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html


Re: looking for EFS weaknesses
http://lists.virus.org/forensics-0306/msg00005.html

Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
System (EFS)
http://technet.microsoft.com/en-us/library/cc749962.aspx

Default SYSKEY configuration compromises encrypting file system 13 May
2000
http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

Windows 2000 Known Vulnerabilities and Their Fixes - PDF
http://www.sans.org/reading_room/wh...000_known_vulnerabilities_and_their_fixes_185


EFS and File Recovery
http://www.informit.com/articles/article.aspx?p=19486

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/kb/255742

Data Protection and Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb457020.aspx

Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx

How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

EFS File Recovery - Asia Supplement
http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx


How to recover EFS encrypted file
http://www.petri.co.il/forums/showthread.php?t=1609

Vista Tutorial - Encrypted File System (EFS) Certificate Restore
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html


encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/

Encrypting File System
http://en.wikipedia.org/wiki/Encrypting_File_System

*What the OP apparently tried:
Advanced EFS Data Recovery
http://www.elcomsoft.com/aefsdr.html
Advantages and Disadvantages of EFS and effective recovery of encrypted
data [Whitepaper] - PDF
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf

[Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
data when it gets lost.
http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf


None of the above deals with recovering encrypted files *without* the
EFS certificate. These discussions and tools simply deal with known
"best practices" when using EFS and how to use the Recovery Agent or
backup copies of the certificate to regain access to encrypted files.
Other discussions and tools deal with recovery of the certificate (not
files) on failing drives or on Windows installations that fail to start
or recovery of certificates deleted by user error. I think that the
bottom line is that maybe cryptologists with supercomputing power and
ample time might be able to recover these files but in reality without
the certificate for all intents and purposes the files are lost.

It is true that I could walk on the moon, but in reality it is most
unlikely that I ever will, the same goes for most all of us having any
hope of recovering encrypted files without the certificate, unless the
OP can recover his EFS certificate he has truly lost his encrypted files.

John

That doesn't even earn a response other than this...

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
In the meantime, the OP left to post elsewhere where the conduct was less of
a grade school playground brawl.

statrted a good cat fight.....

"He started it"

"I did not, you did"

"No, you did."

ad infinitum......
 
Andy said:
In the meantime, the OP left to post elsewhere where the conduct was
less of a grade school playground brawl.

and statrted a good cat fight.....

"He started it"

"I did not, you did"

"No, you did."

ad infinitum......

Yep, certainly did that, didn't it. Think it was a Usenet "drive-by"
post... or was it possibly related to the "can't be done, don't bother
even trying", wherein everyone has the ability to post their purported
prior experience levels upon challenge... I always get a kick out of
Usenet, but it is reflective of society in general. These same
activities have been carried over into other areas, such as blogs and
"social networking" activities.
 
MEB said:
Yep, certainly did that, didn't it. Think it was a Usenet "drive-by"
post... or was it possibly related to the "can't be done, don't bother
even trying", wherein everyone has the ability to post their purported
prior experience levels upon challenge... I always get a kick out of
Usenet, but it is reflective of society in general. These same
activities have been carried over into other areas, such as blogs and
"social networking" activities.

What an egotistical troll you are! The problem isn't with the others it is
with YOU! You are the one who did the "drive-by" post. You gave no useful
advice at all, the only thing that you did is show your vitriolic
personality and ignorance, and you have plenty of that to go 'round!

Let me add my voice to this, I've "been there, done that" and I've learned
the hard way. I'm one of those who lost files because I didn't know any
better and I didn't backup my certificate, without the certificate the file
are lost. You're wasting everybody's time with your less than helpful
posts.
 
The **FACT** is - they weren't able to crack the encryption using any
method.

So why would **I** find your links valuable?

Send them to all the prosecutors in the world and they may find them as
worthless as most knowledgeable people do.

--

Richard Urban
Microsoft MVP
Windows Desktop Experience & Security


MEB said:
Richard said:
Give it to a super computer for a few years!

Uhm, this type of additional base security apparently relies upon other
aspects within the system and/or network, such as: strong user and
administration passwords; caching of credentials; IPSec; domain aspects;
DRA; and other system and network activities, found/used in conjunction
with it [I won't directly include hack tools], for the discussion.

Some related and/or historical information might be valuable:

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html

Re: looking for EFS weaknesses
http://lists.virus.org/forensics-0306/msg00005.html

Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
System (EFS)
http://technet.microsoft.com/en-us/library/cc749962.aspx

Default SYSKEY configuration compromises encrypting file system 13 May
2000
http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

Windows 2000 Known Vulnerabilities and Their Fixes - PDF
http://www.sans.org/reading_room/wh...000_known_vulnerabilities_and_their_fixes_185

EFS and File Recovery
http://www.informit.com/articles/article.aspx?p=19486

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/kb/255742

Data Protection and Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb457020.aspx

Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx

How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

EFS File Recovery - Asia Supplement
http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx

How to recover EFS encrypted file
http://www.petri.co.il/forums/showthread.php?t=1609

Vista Tutorial - Encrypted File System (EFS) Certificate Restore
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html

encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/

Encrypting File System
http://en.wikipedia.org/wiki/Encrypting_File_System

*What the OP apparently tried:
Advanced EFS Data Recovery
http://www.elcomsoft.com/aefsdr.html
Advantages and Disadvantages of EFS and effective recovery of encrypted
data [Whitepaper] - PDF
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf
[Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
data when it gets lost.
http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
Richard said:
The **FACT** is - they weren't able to crack the encryption using any
method.

So why would **I** find your links valuable?

Send them to all the prosecutors in the world and they may find them as
worthless as most knowledgeable people do.

HAHA, that's funny. Did you work on that one for a couple days to come
up with it..

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
Back
Top