Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   How to decrypt EFS-protected restored files? (http://www.velocityreviews.com/forums/t305344-how-to-decrypt-efs-protected-restored-files.html)

*Vanguard* 05-08-2004 01:25 AM

How to decrypt EFS-protected restored files?
 
I had a directory configured to use EFS (so anything put under it got
encrypted). I export my EFS certificate to a floppy. My system crashed and
a disk image wouldn't work (because of changes in the hardware). However, I
could still use the ImageExplorer that comes with DriveImage to peruse the
contents of the image files to extract files out of them. So I've tried the
following:

- Extracted the files from disk image. Cannot view them because of the EFS
protection. Imported the EFS certificate used when the files got encrypted.
It was imported under the Personal store for certificates. Could not open
the files.

- Deleted the EFS certificate and re-imported it but this time left the
option selected to have Windows XP automatically determine under which
certificate store to place the certificate. It imported it to the Trusted
People certificate store. Still couldn't access the encrypted files.

- Figuring that EFS had not yet been implemented on my new install and that
maybe the imported EFS certificate would not get exercised until EFS was
used, I right-clicked on a folder and had it encrypted. Then I copied the
files to under this directory figuring that the certificate might also have
to be imported before moving the files into an EFS-protected directory.
Still cannot access the file contents.

I've read several KB articles and the included help but it really never
describes the steps in restoring EFS-protected files, the order of importing
the EFS certificate (before or after the files have been restored to the new
instance of Windows), or if importing the EFS certificate after restoring
the files (or before) would allow access to them (or if I also need to
actually implement EFS to have it utilize the imported certificate). I see
mention of how use EFS, export certificates, manage them, import them, and
some vague inferences in using them against encrypted files but no real
instructions. After a few hours, I've exhausted what I could come up for a
procedure to decrypt these files. Any ideas?

--
__________________________________________________ __________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=NEWS=" to Subject.
__________________________________________________ __________

--
__________________________________________________ __________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=NEWS=" to Subject.
__________________________________________________ __________


karen 05-09-2004 01:42 AM

Re: How to decrypt EFS-protected restored files?
 

"*Vanguard*" <no-email@reply-to-newsgroup.invalid> wrote in message
news:efGdnYYzL5GFqgHdRVn-jg@comcast.com...
> I had a directory configured to use EFS (so anything put under it got
> encrypted). I export my EFS certificate to a floppy. My system crashed

and
> a disk image wouldn't work (because of changes in the hardware). However,

I
> could still use the ImageExplorer that comes with DriveImage to peruse the
> contents of the image files to extract files out of them. So I've tried

the
> following:
>
> - Extracted the files from disk image. Cannot view them because of the

EFS
> protection. Imported the EFS certificate used when the files got

encrypted.
> It was imported under the Personal store for certificates. Could not open
> the files.
>
> - Deleted the EFS certificate and re-imported it but this time left the
> option selected to have Windows XP automatically determine under which
> certificate store to place the certificate. It imported it to the Trusted
> People certificate store. Still couldn't access the encrypted files.
>
> - Figuring that EFS had not yet been implemented on my new install and

that
> maybe the imported EFS certificate would not get exercised until EFS was
> used, I right-clicked on a folder and had it encrypted. Then I copied the
> files to under this directory figuring that the certificate might also

have
> to be imported before moving the files into an EFS-protected directory.
> Still cannot access the file contents.
>
> I've read several KB articles and the included help but it really never
> describes the steps in restoring EFS-protected files, the order of

importing
> the EFS certificate (before or after the files have been restored to the

new
> instance of Windows), or if importing the EFS certificate after restoring
> the files (or before) would allow access to them (or if I also need to
> actually implement EFS to have it utilize the imported certificate). I

see
> mention of how use EFS, export certificates, manage them, import them, and
> some vague inferences in using them against encrypted files but no real
> instructions. After a few hours, I've exhausted what I could come up for

a
> procedure to decrypt these files. Any ideas?


One thing you can try is to import your certificate to another computer
running XP Pro and copy your encrypted files to that computer and you should
be able to view them. It doesn't fix your problem but at least you should be
able to recover your files.



*Vanguard* 05-10-2004 10:11 PM

Re: How to decrypt EFS-protected restored files?
 
karen said in news:c0gnc.33036$6L3.16945@fed1read05:
>
> One thing you can try is to import your certificate to another
> computer running XP Pro and copy your encrypted files to that
> computer and you should be able to view them. It doesn't fix your
> problem but at least you should be able to recover your files.


That's basically what happened. My current instance of Windows became
unusable due to a hardware change and some corruption. It was about time
for a cleanup so I did a fresh install (so that is the other computer to
which you refer). I then imported the EFS certicate that had been
previously exported onto a floppy from the original instance of Windows.
Then I recovered the files.

I can get the data files. That is not a problem. I save disk images using
DriveImage 2002 and it has its ImageExplorer to let you yank out individual
files. So in a fresh install of Windows XP Pro, I imported the old EFS
certificiate from the floppy and recovered the files from the drive image
fileset. Yet I cannot get into the files. Any attempt to read one of the
EFS-protected files results in "access denied" (and I checked the
permissions which are okay).

When I recovered the encrypted files using ImageExplorer to yank them from
the disk image backup, I simply put them into a directory. Got the access
denied error. Figuring that maybe the EFS certificate would not get applied
unless the files were actually under an EFS-enabled folder (since I didn't
want to individually set EFS on all the files), I configured their holding
directory to enable EFS (so the EFS certificates would get applied).

Summary. Was running Windows XP Pro SP-1. Was using EFS. Exported the EFS
certificates to floppy (for both the user account that was using EFS and
Administrator which had been designated a recovery agent). Had disk images
for backups. Can use ImageExplorer to extract individual files from the
disk images. Did a fresh install of Windows XP. Imported the EFS
certificates. Pulled the old data files out of the disk image backup.
Cannot access their contents (i.e., cannot read them).

--
__________________________________________________ __________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=NEWS=" to Subject.
__________________________________________________ __________


karen 05-11-2004 12:44 PM

Re: How to decrypt EFS-protected restored files?
 
It could be in the sequence you used. Importing your certificate before you
had encrypted any files on your new installation.

The individual file names of your encrypted files are still readable? I
would try creating a new administrator account, encrpyt a file which of
course would create a new certificate then import your backed up
certificate. Next copy one encrypted text file to your desktop for example
and see if you are still denied access.



*Vanguard* 05-11-2004 05:32 PM

Re: How to decrypt EFS-protected restored files?
 
karen said in news:zU3oc.36654$6L3.30541@fed1read05:
> It could be in the sequence you used. Importing your certificate
> before you had encrypted any files on your new installation.
>
> The individual file names of your encrypted files are still readable?
> I would try creating a new administrator account, encrpyt a file
> which of course would create a new certificate then import your
> backed up certificate. Next copy one encrypted text file to your
> desktop for example and see if you are still denied access.


Thanks for the hint. At this point, I cannot remember if I had already
created an EFS certificate (a new one) on my new Windows XP install before
yanking the encrypted files from the disk image fileset. The individual
filenames were always readable. When I realized that I had not yet used EFS
in the new install (so there were no EFS certificates yet created), I
deleted the imported certificates, I created an EFS-protected folder which
gave me the new EFS certificate, I re-imported the old certificates, and
then tried to yank the files while putting them under the EFS-protected
folder. Didn't work.

At this point, I've run out of time to expend on this and need to get back
to real work. Nothing was stored in the EFS-protected folder that couldn't
be rebuilt or retrieved from other media. I had my user-created files under
the folder on backup tape and which had been saved before EFS had been
applied to the folder (so the data files on tape were not encrypted). The
other-sourced data files were on other CDs (not encrypted). So I think I've
got back all my data files but now I'm a bit gun shy on employing EFS on the
data folder. Would have been much easier, faster, and reassuring if the
cert import and file retrieve had worked right. I'm wondering at this point
if maybe yanking individual files out of a disk image won't work for EFS
protected files. I recall the same scenario a couple years back under
Windows 2000 which did work when I retrieved the encrypted files from a tape
backup (which is a logical backup that actually reads the files rather than
a physical backup using a disk image that records the data in sectors). For
as slow as is ImageExplorer at yanking out 20,000+ files under a directory
when rebuilding logical files from the physical sector data, I'll use tape
from now on and keep the disk images only for disaster recovery to rebuild
the entire partition (if it still works since significant hardware changes
seems to render them unusable). Extracting thousands of files using
ImageExplorer took hours to run. A tape restore would be faster. I've done
the EFS file recovery before (but under Windows 2000 instead of Windows XP)
and it worked, so the only significant difference this time was yanking
files from a disk image rather than pulling them off tape.

--
__________________________________________________ __________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=NEWS=" to Subject.
__________________________________________________ __________


neelakantanr 12-22-2007 08:39 PM

ACCESS DENIED in NTFS files;
 
hi,
i have a laptop winxp-pro sp2 with a fat32 partition (system root) and another partition for secured data; essentially some xl files, jpg files, some ppt and proposal files.

the secured file system was working well with no problem till a week back when i thought of using IE7( i am not sure ie7 is the culprit); i loaded ie7 restarted the machine; the fat partition is visible and accessible; NTFS partition, files are visibily listed but on opening, "Access Denied" pops up;

i am the single user (so obviously with administrator rights) of the laptop (no password used for login).

i checked and found the certificate thumbprint of the inaccessible files lists my name (neelakantan@laptop) as the owner with all permissions; but i am denied the access; i tried to login as administrator (through safeboot) and also tried to provide full access to everyuser; still "access denied" pops up.

i created a new file and checked its certificate hash; it is different from the one listed for inaccessible files; i ran a file recovery to recover the old certifcates and keys and obtained the old private key and master key;

using them with ELCOMsoft's EFS data recovery theoretically redecrypts files (it lists all 245 files are decryptable); but when i open the decrypt file, they have garbage at regular intervals; i checked with a hex editor and found that 16bytes at every 512byte is not decrypted or garbaged; this results in ppt and xl files not opening and the doc files coming with garbage.

how to get access to the old files and remove the new keys and restore the old ones?

neelakantan


All times are GMT. The time now is 06:59 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.