Is it possible to decrypt EFS files without backup certificate

S

Shenan Stanley

sunorain said:
A PC had Vista installed and one folder was encrypted by OS. This
folder had some thousand or so files.

Then Vista was reinstalled, with most old system files (including
"Windows", "Users" and "Documents" folders) deleted before
reinstallation. Encrypted folder left intact on HDD.

Is it possible to get files from encrypted folder somehow decrypted
under newly installed copy of Windows?

Username and password for Windows account used to encrypt folder
are known.

Utilities like Elsomsoft's EFS recovery could not do much - when
account password have been supplied utility said that it can
decrypt about 90 files in total with no hint on why specifically
these files can be decrypted and not others.

(microsoft.public.security, microsoft.public.win2000.security,
microsoft.public.security.homeusers,
microsoft.public.windows.file_system,
microsoft.public.windows.vista.security)

sunorain,

I have empathy for your post and what it has been turned into. I did find a
fine example of what it basically has become...

http://video.google.com/videoplay?docid=-4784409600367252507

Hopefully it serves more purpose than the back-and-forth your conversation
has become - at least make you smile/laugh - *grin*

Direct answer...

In general - if you have no backup of your encryption key/cert and/or backup
of your old hard disk drive contents (full image) so you might revert to it
and regain said information and back it up this time - your files/folders in
the EFS are likely (for all intents and purposes) lost to you.

It sucks - but it is why people are encouraged to make good backups.

Might you be able to get something back? Sure - anything is possible - but
you'd have to let everyone know what backups you have, if you have an image
of the hard disk drive before the problems, etc. However - assuming you
would have mentioned that - recovery is unlikely - even if you throw a lot
of money at the issue.
 
M

MEB

Shenan said:
sunorain,

I have empathy for your post and what it has been turned into. I did find a
fine example of what it basically has become...

http://video.google.com/videoplay?docid=-4784409600367252507

Hopefully it serves more purpose than the back-and-forth your conversation
has become - at least make you smile/laugh - *grin*

Direct answer...

In general - if you have no backup of your encryption key/cert and/or backup
of your old hard disk drive contents (full image) so you might revert to it
and regain said information and back it up this time - your files/folders in
the EFS are likely (for all intents and purposes) lost to you.

It sucks - but it is why people are encouraged to make good backups.

Might you be able to get something back? Sure - anything is possible - but
you'd have to let everyone know what backups you have, if you have an image
of the hard disk drive before the problems, etc. However - assuming you
would have mentioned that - recovery is unlikely - even if you throw a lot
of money at the issue.

Okay, at LEAST add there are some really good [some free] disk recovery
programs that could be tried. What can it hurt... it would take less
than twenty or thirty minutes to check including download time... heck,
even something like Hiren's or Knoppix Live could potentially be used.
This was an old [apparently as there are a few thousand files involved]
large installation with a SMALLER new installation placed, why not check...

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
S

Shenan Stanley

sunorain said:
A PC had Vista installed and one folder was encrypted by OS. This
folder had some thousand or so files.

Then Vista was reinstalled, with most old system files (including
"Windows", "Users" and "Documents" folders) deleted before
reinstallation. Encrypted folder left intact on HDD.

Is it possible to get files from encrypted folder somehow decrypted
under newly installed copy of Windows?

Username and password for Windows account used to encrypt folder
are known.

Utilities like Elsomsoft's EFS recovery could not do much - when
account password have been supplied utility said that it can
decrypt about 90 files in total with no hint on why specifically
these files can be decrypted and not others.

Shenan said:
sunorain,

I have empathy for your post and what it has been turned into. I
did find a fine example of what it basically has become...

http://video.google.com/videoplay?docid=-4784409600367252507

Hopefully it serves more purpose than the back-and-forth your
conversation has become - at least make you smile/laugh - *grin*

Direct answer...

In general - if you have no backup of your encryption key/cert
and/or backup of your old hard disk drive contents (full image) so
you might revert to it and regain said information and back it up
this time - your files/folders in the EFS are likely (for all
intents and purposes) lost to you.

It sucks - but it is why people are encouraged to make good backups.

Might you be able to get something back? Sure - anything is
possible - but you'd have to let everyone know what backups you
have, if you have an image of the hard disk drive before the
problems, etc. However - assuming you would have mentioned that -
recovery is unlikely - even if you throw a lot of money at the
issue.
Okay, at LEAST add there are some really good [some free] disk
recovery programs that could be tried. What can it hurt... it would
take less
than twenty or thirty minutes to check including download time...
heck, even something like Hiren's or Knoppix Live could potentially
be used. This was an old [apparently as there are a few thousand
files involved] large installation with a SMALLER new installation
placed, why not check...

Given what the original poster has, ("... Vista was reinstalled, with most
old system files (including "Windows",
"Users" and "Documents" folders) deleted before reinstallation ..."), the
chances are very slim indeed - also - considering this has gone on for two
weeks now (14 days since their original posting) it is likely they have
utilized the machine pretty well at this point - slimming the possibilities
even more of recovering anything - much less anything that might help them.

However - why didn't you? Instead of suggesting someone suggest something -
suggest - with details. ;-)

Would it have been hard to do this:

Recuva
http://www.piriform.com/recuva

Restoration
http://www.snapfiles.com/get/restoration.html

Undelete
http://www.diskeeper.com/undelete/undelete.aspx

Use any of those with the Ultimate Boot CD for Windows:
http://www.ubcd4win.com/

However - without the DRA or backed up private key and given this was a
stand-alone machine - likely still a wash. Backups - the only true solution
to data loss. Data loss - usually the most well-listened-to teacher
avocating backups - if only those listening now had listened to the masses
days/weeks/years before. ;-)

It being Vista - this is of little help:
http://www.beginningtoseethelight.org/efsrecovery/
.... not to mention, likely over the head of anyone who did not bother to
make backups of their important files. ;-)

When you add to that the facts given that things like this:
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf
.... only had limited - unbelievably limited - success; things aren't looking
just bleak, but downright dark and dead quiet.

They can try all that - if they want - but even though they did not backup
the data and use best practices for EFS (showing thwey may not have
understaood what they were doing) they did mention some things they have
tried leading one to think they did their research and probably thought
about some (if not all) of this long ago - and if they had success or not -
we are likely to never know. No success - what incentive do they have to
report back they fail? Success - they will likely feel like they did it on
their own (and would likely be right given the paths this conversation took)
and they have nothing to say to anyone here. ;-)
 
M

MEB

Shenan said:
sunorain said:
A PC had Vista installed and one folder was encrypted by OS. This
folder had some thousand or so files.

Then Vista was reinstalled, with most old system files (including
"Windows", "Users" and "Documents" folders) deleted before
reinstallation. Encrypted folder left intact on HDD.

Is it possible to get files from encrypted folder somehow decrypted
under newly installed copy of Windows?

Username and password for Windows account used to encrypt folder
are known.

Utilities like Elsomsoft's EFS recovery could not do much - when
account password have been supplied utility said that it can
decrypt about 90 files in total with no hint on why specifically
these files can be decrypted and not others.

Shenan said:
sunorain,

I have empathy for your post and what it has been turned into. I
did find a fine example of what it basically has become...

http://video.google.com/videoplay?docid=-4784409600367252507

Hopefully it serves more purpose than the back-and-forth your
conversation has become - at least make you smile/laugh - *grin*

Direct answer...

In general - if you have no backup of your encryption key/cert
and/or backup of your old hard disk drive contents (full image) so
you might revert to it and regain said information and back it up
this time - your files/folders in the EFS are likely (for all
intents and purposes) lost to you.

It sucks - but it is why people are encouraged to make good backups.

Might you be able to get something back? Sure - anything is
possible - but you'd have to let everyone know what backups you
have, if you have an image of the hard disk drive before the
problems, etc. However - assuming you would have mentioned that -
recovery is unlikely - even if you throw a lot of money at the
issue.
Okay, at LEAST add there are some really good [some free] disk
recovery programs that could be tried. What can it hurt... it would
take less
than twenty or thirty minutes to check including download time...
heck, even something like Hiren's or Knoppix Live could potentially
be used. This was an old [apparently as there are a few thousand
files involved] large installation with a SMALLER new installation
placed, why not check...

Given what the original poster has, ("... Vista was reinstalled, with most
old system files (including "Windows",
"Users" and "Documents" folders) deleted before reinstallation ..."), the
chances are very slim indeed - also - considering this has gone on for two
weeks now (14 days since their original posting) it is likely they have
utilized the machine pretty well at this point - slimming the possibilities
even more of recovering anything - much less anything that might help them.

However - why didn't you? Instead of suggesting someone suggest something -
suggest - with details. ;-)

Would it have been hard to do this:

Recuva
http://www.piriform.com/recuva

Restoration
http://www.snapfiles.com/get/restoration.html

Undelete
http://www.diskeeper.com/undelete/undelete.aspx

Use any of those with the Ultimate Boot CD for Windows:
http://www.ubcd4win.com/

However - without the DRA or backed up private key and given this was a
stand-alone machine - likely still a wash. Backups - the only true solution
to data loss. Data loss - usually the most well-listened-to teacher
avocating backups - if only those listening now had listened to the masses
days/weeks/years before. ;-)

It being Vista - this is of little help:
http://www.beginningtoseethelight.org/efsrecovery/
.... not to mention, likely over the head of anyone who did not bother to
make backups of their important files. ;-)

When you add to that the facts given that things like this:
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf
.... only had limited - unbelievably limited - success; things aren't looking
just bleak, but downright dark and dead quiet.

They can try all that - if they want - but even though they did not backup
the data and use best practices for EFS (showing thwey may not have
understaood what they were doing) they did mention some things they have
tried leading one to think they did their research and probably thought
about some (if not all) of this long ago - and if they had success or not -
we are likely to never know. No success - what incentive do they have to
report back they fail? Success - they will likely feel like they did it on
their own (and would likely be right given the paths this conversation took)
and they have nothing to say to anyone here. ;-)

And I would agree, when posted 10/26/09, simple recovery methods SHOULD
have been the *first* suggestions, taking the disk out of usage, and
other. INSTEAD those answering went off on the thought of
CRACKING/HACKING the actual files, to the point of a ridiculous
discussion of Super Computers.

I entered the discussion on 11/4/09 [around 8-9 days later], seeing NO
ONE had even suggested anything remotely like would have been applied
under these or other circumstances and situations, attempted file
recovery; and where NO ONE had submitted anything regarding methods or
tools, Microsoft or otherwise. The apparent though was impossible to
recover, where in ANY other file deletion or related disk issue the
IMMEDIATE response would or should have been as indicated, attempted
recovery.
When I suggest that there were other methods and provided links to
materials including Microsoft Articles and tools, they were received
with disdain BY supposed MVPs. Excuse me, these are tools and
information related to the activity. They DO provide the "best
practices" and tools for particular situations regarding EFS, don't they.
When I addressed other potentials such as beginningtoseethelight, which
shows indicators to the information sought should hex recovery or
modification be needed, I received some of the most ignorant junk
possible, AGAIN from MVPs. This is SUPPOSEDLY a group with experts. With
indicators available, there was another potential recovery method, if
necessary.
We aren't discussing cracking/hacking encrypted files, it was the
potential DATA recovery that might have been useful to the OP. It was
also the tools available, and potential methods for others who might
find this discussion.


Now, why don't YOU might explain why YOU didn't step in IMMEDIATELY
with suggested recovery methods, and WHY none of the other MVPs did.
That would be real interesting I'm sure.

While you're at it, explain why they STILL don't get it.

You can sit smugly at your computer in here all day long and say it
*might* have been impossible to recovery, it as good an excuse as any
now; but IT DANG SURE IS NOW because NONE of you even tried. NONE of you
suggested anything of value.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
S

Shenan Stanley

<snip>
And I would agree, when posted 10/26/09, simple recovery methods
SHOULD have been the *first* suggestions, taking the disk out of
usage, and other. INSTEAD those answering went off on the thought of
CRACKING/HACKING the actual files, to the point of a ridiculous
discussion of Super Computers.

I entered the discussion on 11/4/09 [around 8-9 days later], seeing
NO ONE had even suggested anything remotely like would have been
applied under these or other circumstances and situations,
attempted file recovery; and where NO ONE had submitted anything
regarding methods or tools, Microsoft or otherwise. The apparent
though was impossible to recover, where in ANY other file deletion
or related disk issue the IMMEDIATE response would or should have
been as indicated, attempted recovery.
When I suggest that there were other methods and provided links to
materials including Microsoft Articles and tools, they were received
with disdain BY supposed MVPs. Excuse me, these are tools and
information related to the activity. They DO provide the "best
practices" and tools for particular situations regarding EFS, don't
they. When I addressed other potentials such as
beginningtoseethelight, which shows indicators to the information
sought should hex recovery or modification be needed, I received
some of the most ignorant junk possible, AGAIN from MVPs. This is
SUPPOSEDLY a group with experts. With indicators available, there
was another potential recovery method, if necessary.
We aren't discussing cracking/hacking encrypted files, it was the
potential DATA recovery that might have been useful to the OP. It
was also the tools available, and potential methods for others who
might find this discussion.


Now, why don't YOU might explain why YOU didn't step in IMMEDIATELY
with suggested recovery methods, and WHY none of the other MVPs did.
That would be real interesting I'm sure.

While you're at it, explain why they STILL don't get it.

You can sit smugly at your computer in here all day long and say it
*might* have been impossible to recovery, it as good an excuse as
any now; but IT DANG SURE IS NOW because NONE of you even tried.
NONE of you suggested anything of value.

Easy there, MEB.

Why do you think I (or anyone here) owe you (someone I don't know)
information about me (someone you don't know) and where I was or why I
do/don't/didn't/did do something?

Same question to you - why didn't you step in immediately on day one with
your suggestions?

Likely the same answer for both. Volunteer, not paid to do this, have a
life, doing something else, can't be everywhere at once and nunya...

You can think people are being smug all you want - they are not - they are
being where they can/want to be when they can when they want to be. They
answer how they want, with what they want.

There is no *you* here - this is a PEER-to-PEER newsgroup - you are the same
as anyone else here. You are a PEER.

Said it before, looks like I have to say it again. I volunteer my
experience and knowledge - volunteer above and beyond my normal life and
career. I get to say what I want when I want to say it. If Microsoft
disappeared tomorrow - it would mean very little in terms of what I do.
Initials mean little - it's what you make of it. I did it long before I
received any initials for doing it and would likely still do it without the
initials (although I am considering not doing it anymore because people seem
to *expect* things they shouldn't.)

Your comments were late just as some others were and did very little to help
the situation when you decided that instead of ignoring those who decided to
buck what you were saying - you'd feed on them and them on you and make this
entire conversation into garbage that was of no use to the OP and wasn't
even a logical discussion, but a "No, YOU!" shouting match.

One problem is you never know what the reaction will be from people. I have
been involved in postings where it seemed like the person had tried nothing,
but was just honestly asking for assistance. I listed all the simple things
to try and some more advanced things to try in excruciating detail - in
hopes that something might help them. What was the reaction? They bit my
head off for treating them like a child, for not assuming they had done all
the simple stuff, going as far as calling me names.

It's a volunteer based newsgroup (forum) - if you don't like what someone
says or don't want to get involved - you don't have to. If you want to stop
at any point being involved, do so. And sure - you can call people names,
troll, chide people into responding, dance around the topic, be the holy
zealot in the right/wrong side, be the jester or be the true fool - all that
is a free for all as well. What you do here *is* your choice. When you do
things here *is* your choice.

Don't expect - however - anything. It's not your 'right', especially not
here. You voluntarily answer and are no different than anyone else here -
no matter what value you want to put into what initials you see.

I knew someone once that started putting initials at the end of their name
many years back. People, strangely - started treating them with more
respect, etc. The letters added were "RNG" <- they meant 'Really Nice Guy',
but no one ever asked - they just assumed some importance came with them. I
would suggest never being that unwise.


But - I will return to the subject at hand - as it should always end up
doing...


The truth is - given what the OP did - I fully believe they would have been
unsuccessful in their attempts - no matter what was suggested within minutes
of their original posting.

They didn't make backups (if they did, they did not mention any), they
didn't understand EFS (or they wouldn't have just 'moved' the EFS folders
somewhere else thinking they could unencrypt them later without following
the well documented best practices of backing up the private key or making a
DRA) and they had attempted to fix it themselves with research (they
mentioned methods I don't believe they knew beforehand - since if they knew
of the methods, they would be unlikely to have risked their data on the
off-chance those methods would work for them.)

All of this could easily been deduced from the original posting and I
perfectly well understand why the reaction was what it was for the most
part. Logical progression from the given information. All that could be
done otherwise is ask for more information - and many times that just gets
"Just answer the question" responses and "Why do you need to know all that"
responses and the likes.
 
M

MEB

Shenan said:
<snip>

MEB wrote:

Wow, I really needed that explanation. Sorry, at this point my
tolerance is low..
But - I will return to the subject at hand - as it should always end up
doing...


The truth is - given what the OP did - I fully believe they would have been
unsuccessful in their attempts - no matter what was suggested within minutes
of their original posting.

They didn't make backups (if they did, they did not mention any), they
didn't understand EFS (or they wouldn't have just 'moved' the EFS folders
somewhere else thinking they could unencrypt them later without following
the well documented best practices of backing up the private key or making a
DRA) and they had attempted to fix it themselves with research (they
mentioned methods I don't believe they knew beforehand - since if they knew
of the methods, they would be unlikely to have risked their data on the
off-chance those methods would work for them.)

All of this could easily been deduced from the original posting and I
perfectly well understand why the reaction was what it was for the most
part. Logical progression from the given information. All that could be
done otherwise is ask for more information - and many times that just gets
"Just answer the question" responses and "Why do you need to know all that"
responses and the likes.

Deduced by whom,, my immediate reaction WAS to proceed with the
recovery tools and methods in the discussion to dispel the incredible
lack of anything relevant to the issue and other similar situations.
You just change yours to another excuse, you "fully believe"... that's
fine. That still doesn't address the potential recovery and THAT was the
most important element. Unless one tries, then everything else is just
fluff, excuses, and failure, because you DON'T KNOW for sure, do you.
GUESSING, isn't productive when someones potentially irreplaceable
files are at stake. So NO your answer does not suit the issue nor the
matter as posted. Its just another excuse. The LOGICAL progression is to
stop usage IMMEDIATELY, and then make an effort to see what options
might be available.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
A

Andy Medina

Energy is still being wasted on this?
Just 'killfile' the thread.

A PC had Vista installed and one folder was encrypted by OS. This folder
had some thousand or so files....

that can no longer be decrypted.

*plonk*
 
R

Richard Urban

Here is another case where the authorities can not break into an encrypted
device without the keys.

For all of those of you who say it can be done - hogwash!
 
F

FromTheRafters

Richard Urban said:
Here is another case where the authorities can not break into an
encrypted device without the keys.

For all of those of you who say it can be done - hogwash!

The strength of encryption is quantified by "how long" it can be
expected to remain secure, not that it cannot be broken.
 
A

alan_willpa

SELLER INFORMAION(western union information)
FIRST NAME: DONGLIANG
LAST NAME: LI
ADDRESS: #135 Tianhe Road, Guangzhou, China
ZIP CODE: 510000
 
A

alan_willpa

SELLER INFORMAION(western union information)
FIRST NAME: DONGLIANG
LAST NAME: LI
ADDRESS: #135 Tianhe Road, Guangzhou, China
ZIP CODE: 510000
 
A

alan_willpa

SELLER INFORMAION(western union information)
FIRST NAME: DONGLIANG
LAST NAME: LI
ADDRESS: #135 Tianhe Road, Guangzhou, China
ZIP CODE: 510000
 
Joined
Jun 23, 2015
Messages
1
Reaction score
0
Dear all, after being extremely worried, I found the solution!

I also formatted the hard disk and never saved EFS certificates.

Nevertheless, after days of searching for a solution, I found a program Ecomsoft Advanced EFS data recovery which searched all the EFS keys on the hardwares and found about 1500 and with those decrypted the files I needed.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top