| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 78564 | 2007-04-20 08:29:00 | Encrypting File System woes | agent (30) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 542663 | 2007-04-20 08:29:00 | Here's the situation: I've got a client who I did some computer work for; he wanted to encrypt his documents for safety in an easy, straight-forward way and didn't want any complicated matters of having to decrypt files every time he wanted to open them - so out of the solutions I offered, he chose to use Encrypting File System for it's ease of use. This was some time ago, and his laptop recently suffered a hard-drive failure (despite being less than 18 months old!). Due to a combination of various unfortunate circumstances, he has been left with a bunch of sensitive, very important documents that are encrypted with EFS, and he does not have the original hard drive nor private certificate. These files could perhaps be used in tools like EFS Key (www.lostpassword.com) or Advanced EFS Data Recovery (www.elcomsoft.com), but there is a problem: the files are not marked as encrypted. This means neither the file system or these programs will recognise the files as encrypted, so the programs refuse to let me even attempt to work their magic on the files. Apparently a professional computer technician ran these files for eight hours through a brute force program but no luck... As far as I can see then, only two options may remain. The first option is to somehow get the file system to recognise that the files are encrypted. I imagine this would involve changing hex values and other aspects of the files themselves or the file system table, all of which is somewhat beyond my capabilities. The other option is to get out the big guns, sign a huge cheque, and request assistance from professional data recovery experts. But the cost here may exceed the benefit of getting the contents of the files back. I did see a data recovery program on the internet for US$500 that claimed it could recover EFS-encrypted files (and practically every other file you might want to recover), but that's pretty much out of the question too. Besides which, I don't think any program or company could provide a guarantee that they could decrypt the files. So... does anyone think the file system could be made to recognise that the files are encrypted, through changing values in the file system tables or some such place? If so, how might one go about doing this? And are there any other ideas floating out there? |
agent (30) | ||
| 542664 | 2007-04-20 12:59:00 | Where are these encrypted files stored? On another hard drive? CD? I don;t know much about how Windows managed copying encrypted files and such but it looks like you can break the encryption of EFS if you still have the combination of the username and password used to encrypt them and if you can still find the encrypted private key in the SAM database. Can you get the contents of the folder "C:\Documents and Settings\USER\Application Data\Microsoft\Crypto\RSA\User SID" for the user these files were created with? If these have been replaced or lost then the encrypted copy of the file cannot be decrypted. The other option is to use standard undeletion tools and look for Efs0.tmp but this may not be an option in your case if you can't get the old drive. Apparently EFS uses files of this name as temporary files which contain a full copy of the original document and then deletes them normally without any overwriting! If the space used for this file hasn't been overwritten then you can get the unencrypted file back. This is a prime example of how pathetic Microsoft's attempts at creating secure systems really are. All I can say is I hope you don't use Microsoft's VPN system (PPTP) because that's even worse. |
TGoddard (7263) | ||
| 542665 | 2007-04-21 11:32:00 | I forgot to mention I did check the certificates on the computer and there was no certificate used for EFS. The original hard drive (which effectively crashed) was copied bit for bit onto a new one, except the computer wouldn't boot (I'm guessing that means it was a lot of bad sectors), so this other technician reinstalled Windows. So the encrypting certificate is gone, and the original hard drive was destroyed by Toshiba at the request of my client (obviously the combination of three people and various levels of technical knowledge have contributed to the scenario). I'm not sure how the encrypted files ended up not being marked as encrypted, as I wasn't the person who rescued them. For some reason they didn't get decrypted upon being copied, so either they were copied to an NTFS file system or the certificate had already gone missing or been corrupted. But the files reside on the new hard drive in the new laptop, and I have a copy of them - but they cannot be opened on the laptop let alone anywhere else. I'm aware that the private certificate is linked to the username and password, but I read some documentation that lead me to believe even if you had the same username and password, on the same computer (SID etc need to be the same, as does the user account number), the certificate created would not be exactly the same. |
agent (30) | ||
| 542666 | 2007-04-21 13:20:00 | How much are these files worth? There seems to have been a lot of effort expended by you and I presume your client and all the techs so those files must be important but then you dont want to pay for them to be recovered. So effectively you should either let it go or pay someone and get it over with. Just one man's opinion:D | beeswax34 (63) | ||
| 542667 | 2007-04-22 07:00:00 | The system stored an individual key for each person who creates EFS encrypted files. I would strongly recommend that you not mount this drive in read/write mode (i.e. boot into Windows) as you may destroy any traces which a data recovery expert could use. If you are unable to recover the private key for the user (which will be encrypted using a combination of their username and password) then the files can only be recovered using the undeletion method I mentioned earlier. The other option is that there may be other copies as temporary files for the document editor itself or there may be parts of the documents unencrypted in the page file. If you access the drive read/write then you may destroy these traces. If you want to access the drive you may like to use a live CD such as www.e-fense.com to do so without contaminating it. | TGoddard (7263) | ||
| 542668 | 2007-04-22 09:32:00 | Yet another reason to use truecrypt and a proper backup! Hope you can get to them... sounds like a headache to nowhere. |
zcc (50) | ||
| 542669 | 2007-04-22 13:03:00 | Again, I vote Truecrypt for next time.. Have no other words of wisdom thou sorry :( | Chilling_Silence (9) | ||
| 542670 | 2007-04-22 23:51:00 | My client technically needs the files to do his job. He can make do without them, but cannot refer to them if he needs to in the future, which makes his job more difficult. A lot of money was invested in simply getting his laptop working again, if push comes to shove they probably would pay for commercial recovery attempts. Anyway, no one thought to preserve the integrity of the hard drives, both the original failed one, and the copied version of this, so recovery of the private key is impossible as it (and any unencrypted copies of documents and such) is impossible as they would have been overwritten by now. As I said, a combination of the various people involved led to the situation that the original hard drive was destroyed, the copied hard drive was not preserved (presumably because someone trusted that the encrypted documents were safely backed up), and the backup system failed. I can only guess that this was because my client used Windows XP's built-in system of writing to CDs, and every week though they were writing the backup file to CD when in fact they were merely placing it in XP's queue to be written. I've taken a very brief look at TrueCrypt, and it looks reasonable if not more complicated to set up than EFS. The lesson to be learnt from this whole affair is that if you do want to use EFS (I've got nothing against it, I think it's probably a good enough encryption system for general use), you should ensure that you set up a data recovery agent (if possible), and always make a backup of the encryption certificate and the encrypted documents. If you suffer hardware failure, there's no point only having the encrypted documents when you can't decrypt them without the certificate. That, and it would probably pay to check your backups regularly to make sure they are usable - especially if you will need the data in them. I do believe the only possible way to go from here is an attempt to brute force the files. However, I think it will pay to also see if the encryption certificate is solely based on the username and password. As I said earlier though, even if this generates the exact same certificate (I somehow doubt it would, as the machine name and user account numbers have likely changed), this may be hampered by the fact the operating system does not recognise the files as being encrypted. |
agent (30) | ||
| 1 | |||||