What is the path to recover Encryption keys from Formatted HD

[Guest]

I have a customers' PC that has a folder that is encrypted and gives "Access
denied" because of the XP (Pro SP2) Encryption (it is not an ownership
issue). The HD that contained the windows installation has been reformatted,
and the user had not backed up the certificates/keys, or put a RA in place. I
have used a data recovery tool to recover the Documents & Settings folder
from the reformatted drive and there are a number of certificates & keys that
successfully import, but sadly the folder will still not decrypt.
Q1 - Is Documents & Settings the only path I need to restore from the
Formatted drive, or is there somewhere (something) else I need as well.
Q2 - How can I find out what Key was used to encrypt the folder & ensure I
have it imported.

Many thanks for your advise.

 

[Malke]

I have a customers' PC that has a folder that is encrypted and gives "Access
denied" because of the XP (Pro SP2) Encryption (it is not an ownership
issue). The HD that contained the windows installation has been reformatted,
and the user had not backed up the certificates/keys, or put a RA in place. I
have used a data recovery tool to recover the Documents & Settings folder
from the reformatted drive and there are a number of certificates & keys that
successfully import, but sadly the folder will still not decrypt.
Q1 - Is Documents & Settings the only path I need to restore from the
Formatted drive, or is there somewhere (something) else I need as well.
Q2 - How can I find out what Key was used to encrypt the folder & ensure I
have it imported.

Many thanks for your advise.

You can't. If your customer neglected to back up his keys and/or set a
recovery agent, then the data is inaccessible forever. You might get
some help from the Elcomsoft program, but from your description of the
situation (drive formatted), I doubt it.

http://tinyurl.com/6l6xx - MS information about EFS (Encryption)
http://www.elcomsoft.com/aefsdr.html - Encrypted files retrieval application


Malke

 

[Harry Johnston]

[...] used a data recovery tool to recover the Documents & Settings folder
from the reformatted drive and there are a number of certificates & keys that
successfully import, but sadly the folder will still not decrypt.

I don't know whether it is possible to recover encrypted data by importing keys
from a recovered Documents and Settings folder. If it is, however, it will also
be necessary to ensure that the user account password is the same as the one
that was originally set. The key used to decrypt encrypted data is itself
encrypted with the user account password.

Harry.

 

[Vanguard]

I have a customers' PC that has a folder that is encrypted and gives
"Access
denied" because of the XP (Pro SP2) Encryption (it is not an ownership
issue). The HD that contained the windows installation has been
reformatted,
and the user had not backed up the certificates/keys, or put a RA in
place. I
have used a data recovery tool to recover the Documents & Settings
folder
from the reformatted drive and there are a number of certificates &
keys that
successfully import, but sadly the folder will still not decrypt.
Q1 - Is Documents & Settings the only path I need to restore from the
Formatted drive, or is there somewhere (something) else I need as
well.
Q2 - How can I find out what Key was used to encrypt the folder &
ensure I
have it imported.

Many thanks for your advise.

There is no backdoor to EFS other than a massive bank of number
crunching hosts to decode encrypted files, and you don't have access to
that. Your customer lost their files by not knowing how to use EFS,
like exporting the EFS certificate or designating a recovery agent. You
can't fix a tool improperly used by your customer.

You mention "restore". So did the customer do backups?

 

[Guest]

When I talk about Restore, I am talking about the files I recovered from the
formatted hard drive using "EASEUS Data Recovery Wizard Professional 3.3.4"
(a great tool). My fault for using the wrong word.

My original questions were not looking to find a back door. Just to clarify
where within the directory structure the keys are stored, so that I can
ensure I have got everything.

I am probably being very naive, but my understanding is that if I can
recover the keys from the formatted HD (hence where are they kept), Apply the
original password used (I know that) and I should be able to decrypt the
folder. But after a lot of searching & Asking I still have no idea where the
keys are kept, within a windows XP path structure.
Maybee the answer is "there are no files held on the disk", because they are
all held as data within the registry.

 

[Poprivet]

When I talk about Restore, I am talking about the files I recovered
from the formatted hard drive using "EASEUS Data Recovery Wizard
Professional 3.3.4" (a great tool). My fault for using the wrong word.

My original questions were not looking to find a back door. Just to
clarify where within the directory structure the keys are stored, so
that I can ensure I have got everything.

I am probably being very naive, but my understanding is that if I can
recover the keys from the formatted HD (hence where are they kept),
Apply the original password used (I know that) and I should be able
to decrypt the folder. But after a lot of searching & Asking I still
have no idea where the keys are kept, within a windows XP path
structure.
Maybee the answer is "there are no files held on the disk", because
they are all held as data within the registry.

Not to be a nay-sayer, but I've had personal experience a couple years ago;
I didn't create the disk so I could move the files or reinstall, etc..
I hope you succeed but my research at that time and readings since
indicated they couldn't be recovered. Even with the same user info and
setups on the other computer, the internal keys are all different (almost
random when created, I think) and are very hard to break. Not that I
understand it all or even remember it very well. It's apparently a pretty
good protection method <g>.

Have you checked with the user just in case they did make the key disk?

Pop`

 

[Guest]

Thanks for the reply.

The customer had no idea what they were doing "It looked like a good option
to tick"!!! so no way would a key backup have been taken.

I tend to agree that the data should be regarded as lost. I needed to ask
the question, so that I could feel comfortable with saying all is lost.

Regards

Jonathan

 

[Vanguard]

in message

When I talk about Restore, I am talking about the files I recovered
from the
formatted hard drive using "EASEUS Data Recovery Wizard Professional
3.3.4"
(a great tool). My fault for using the wrong word.

My original questions were not looking to find a back door. Just to
clarify
where within the directory structure the keys are stored, so that I
can
ensure I have got everything.

I am probably being very naive, but my understanding is that if I can
recover the keys from the formatted HD (hence where are they kept),
Apply the
original password used (I know that) and I should be able to decrypt
the
folder. But after a lot of searching & Asking I still have no idea
where the
keys are kept, within a windows XP path structure.
Maybee the answer is "there are no files held on the disk", because
they are
all held as data within the registry.

Ask your customer how much they are willing to recover the data. Then
look at http://www.elcomsoft.com/aefsdr.html. I believe the trial
version only tells you if you could recover the files but doesn't
actually recover them until you buy their product but you'll have to
check for yourself. I've heard of this one but never used it.