How to decrypt EFS-protected restored files?

Discussion in 'Computer Security' started by *Vanguard*, May 8, 2004.

  1. *Vanguard*

    *Vanguard* Guest

    I had a directory configured to use EFS (so anything put under it got
    encrypted). I export my EFS certificate to a floppy. My system crashed and
    a disk image wouldn't work (because of changes in the hardware). However, I
    could still use the ImageExplorer that comes with DriveImage to peruse the
    contents of the image files to extract files out of them. So I've tried the
    following:

    - Extracted the files from disk image. Cannot view them because of the EFS
    protection. Imported the EFS certificate used when the files got encrypted.
    It was imported under the Personal store for certificates. Could not open
    the files.

    - Deleted the EFS certificate and re-imported it but this time left the
    option selected to have Windows XP automatically determine under which
    certificate store to place the certificate. It imported it to the Trusted
    People certificate store. Still couldn't access the encrypted files.

    - Figuring that EFS had not yet been implemented on my new install and that
    maybe the imported EFS certificate would not get exercised until EFS was
    used, I right-clicked on a folder and had it encrypted. Then I copied the
    files to under this directory figuring that the certificate might also have
    to be imported before moving the files into an EFS-protected directory.
    Still cannot access the file contents.

    I've read several KB articles and the included help but it really never
    describes the steps in restoring EFS-protected files, the order of importing
    the EFS certificate (before or after the files have been restored to the new
    instance of Windows), or if importing the EFS certificate after restoring
    the files (or before) would allow access to them (or if I also need to
    actually implement EFS to have it utilize the imported certificate). I see
    mention of how use EFS, export certificates, manage them, import them, and
    some vague inferences in using them against encrypted files but no real
    instructions. After a few hours, I've exhausted what I could come up for a
    procedure to decrypt these files. Any ideas?

    --
    ____________________________________________________________
    *** Post replies to newsgroup. Share with others.
    *** Email: domain = ".com" and append "=NEWS=" to Subject.
    ____________________________________________________________

    --
    ____________________________________________________________
    *** Post replies to newsgroup. Share with others.
    *** Email: domain = ".com" and append "=NEWS=" to Subject.
    ____________________________________________________________
    *Vanguard*, May 8, 2004
    #1
    1. Advertising

  2. *Vanguard*

    karen Guest

    "*Vanguard*" <> wrote in message
    news:...
    > I had a directory configured to use EFS (so anything put under it got
    > encrypted). I export my EFS certificate to a floppy. My system crashed

    and
    > a disk image wouldn't work (because of changes in the hardware). However,

    I
    > could still use the ImageExplorer that comes with DriveImage to peruse the
    > contents of the image files to extract files out of them. So I've tried

    the
    > following:
    >
    > - Extracted the files from disk image. Cannot view them because of the

    EFS
    > protection. Imported the EFS certificate used when the files got

    encrypted.
    > It was imported under the Personal store for certificates. Could not open
    > the files.
    >
    > - Deleted the EFS certificate and re-imported it but this time left the
    > option selected to have Windows XP automatically determine under which
    > certificate store to place the certificate. It imported it to the Trusted
    > People certificate store. Still couldn't access the encrypted files.
    >
    > - Figuring that EFS had not yet been implemented on my new install and

    that
    > maybe the imported EFS certificate would not get exercised until EFS was
    > used, I right-clicked on a folder and had it encrypted. Then I copied the
    > files to under this directory figuring that the certificate might also

    have
    > to be imported before moving the files into an EFS-protected directory.
    > Still cannot access the file contents.
    >
    > I've read several KB articles and the included help but it really never
    > describes the steps in restoring EFS-protected files, the order of

    importing
    > the EFS certificate (before or after the files have been restored to the

    new
    > instance of Windows), or if importing the EFS certificate after restoring
    > the files (or before) would allow access to them (or if I also need to
    > actually implement EFS to have it utilize the imported certificate). I

    see
    > mention of how use EFS, export certificates, manage them, import them, and
    > some vague inferences in using them against encrypted files but no real
    > instructions. After a few hours, I've exhausted what I could come up for

    a
    > procedure to decrypt these files. Any ideas?


    One thing you can try is to import your certificate to another computer
    running XP Pro and copy your encrypted files to that computer and you should
    be able to view them. It doesn't fix your problem but at least you should be
    able to recover your files.
    karen, May 9, 2004
    #2
    1. Advertising

  3. *Vanguard*

    *Vanguard* Guest

    karen said in news:c0gnc.33036$6L3.16945@fed1read05:
    >
    > One thing you can try is to import your certificate to another
    > computer running XP Pro and copy your encrypted files to that
    > computer and you should be able to view them. It doesn't fix your
    > problem but at least you should be able to recover your files.


    That's basically what happened. My current instance of Windows became
    unusable due to a hardware change and some corruption. It was about time
    for a cleanup so I did a fresh install (so that is the other computer to
    which you refer). I then imported the EFS certicate that had been
    previously exported onto a floppy from the original instance of Windows.
    Then I recovered the files.

    I can get the data files. That is not a problem. I save disk images using
    DriveImage 2002 and it has its ImageExplorer to let you yank out individual
    files. So in a fresh install of Windows XP Pro, I imported the old EFS
    certificiate from the floppy and recovered the files from the drive image
    fileset. Yet I cannot get into the files. Any attempt to read one of the
    EFS-protected files results in "access denied" (and I checked the
    permissions which are okay).

    When I recovered the encrypted files using ImageExplorer to yank them from
    the disk image backup, I simply put them into a directory. Got the access
    denied error. Figuring that maybe the EFS certificate would not get applied
    unless the files were actually under an EFS-enabled folder (since I didn't
    want to individually set EFS on all the files), I configured their holding
    directory to enable EFS (so the EFS certificates would get applied).

    Summary. Was running Windows XP Pro SP-1. Was using EFS. Exported the EFS
    certificates to floppy (for both the user account that was using EFS and
    Administrator which had been designated a recovery agent). Had disk images
    for backups. Can use ImageExplorer to extract individual files from the
    disk images. Did a fresh install of Windows XP. Imported the EFS
    certificates. Pulled the old data files out of the disk image backup.
    Cannot access their contents (i.e., cannot read them).

    --
    ____________________________________________________________
    *** Post replies to newsgroup. Share with others.
    *** Email: domain = ".com" and append "=NEWS=" to Subject.
    ____________________________________________________________
    *Vanguard*, May 10, 2004
    #3
  4. *Vanguard*

    karen Guest

    It could be in the sequence you used. Importing your certificate before you
    had encrypted any files on your new installation.

    The individual file names of your encrypted files are still readable? I
    would try creating a new administrator account, encrpyt a file which of
    course would create a new certificate then import your backed up
    certificate. Next copy one encrypted text file to your desktop for example
    and see if you are still denied access.
    karen, May 11, 2004
    #4
  5. *Vanguard*

    *Vanguard* Guest

    karen said in news:zU3oc.36654$6L3.30541@fed1read05:
    > It could be in the sequence you used. Importing your certificate
    > before you had encrypted any files on your new installation.
    >
    > The individual file names of your encrypted files are still readable?
    > I would try creating a new administrator account, encrpyt a file
    > which of course would create a new certificate then import your
    > backed up certificate. Next copy one encrypted text file to your
    > desktop for example and see if you are still denied access.


    Thanks for the hint. At this point, I cannot remember if I had already
    created an EFS certificate (a new one) on my new Windows XP install before
    yanking the encrypted files from the disk image fileset. The individual
    filenames were always readable. When I realized that I had not yet used EFS
    in the new install (so there were no EFS certificates yet created), I
    deleted the imported certificates, I created an EFS-protected folder which
    gave me the new EFS certificate, I re-imported the old certificates, and
    then tried to yank the files while putting them under the EFS-protected
    folder. Didn't work.

    At this point, I've run out of time to expend on this and need to get back
    to real work. Nothing was stored in the EFS-protected folder that couldn't
    be rebuilt or retrieved from other media. I had my user-created files under
    the folder on backup tape and which had been saved before EFS had been
    applied to the folder (so the data files on tape were not encrypted). The
    other-sourced data files were on other CDs (not encrypted). So I think I've
    got back all my data files but now I'm a bit gun shy on employing EFS on the
    data folder. Would have been much easier, faster, and reassuring if the
    cert import and file retrieve had worked right. I'm wondering at this point
    if maybe yanking individual files out of a disk image won't work for EFS
    protected files. I recall the same scenario a couple years back under
    Windows 2000 which did work when I retrieved the encrypted files from a tape
    backup (which is a logical backup that actually reads the files rather than
    a physical backup using a disk image that records the data in sectors). For
    as slow as is ImageExplorer at yanking out 20,000+ files under a directory
    when rebuilding logical files from the physical sector data, I'll use tape
    from now on and keep the disk images only for disaster recovery to rebuild
    the entire partition (if it still works since significant hardware changes
    seems to render them unusable). Extracting thousands of files using
    ImageExplorer took hours to run. A tape restore would be faster. I've done
    the EFS file recovery before (but under Windows 2000 instead of Windows XP)
    and it worked, so the only significant difference this time was yanking
    files from a disk image rather than pulling them off tape.

    --
    ____________________________________________________________
    *** Post replies to newsgroup. Share with others.
    *** Email: domain = ".com" and append "=NEWS=" to Subject.
    ____________________________________________________________
    *Vanguard*, May 11, 2004
    #5
  6. *Vanguard*

    neelakantanr

    Joined:
    Jul 23, 2007
    Messages:
    1
    ACCESS DENIED in NTFS files;

    hi,
    i have a laptop winxp-pro sp2 with a fat32 partition (system root) and another partition for secured data; essentially some xl files, jpg files, some ppt and proposal files.

    the secured file system was working well with no problem till a week back when i thought of using IE7( i am not sure ie7 is the culprit); i loaded ie7 restarted the machine; the fat partition is visible and accessible; NTFS partition, files are visibily listed but on opening, "Access Denied" pops up;

    i am the single user (so obviously with administrator rights) of the laptop (no password used for login).

    i checked and found the certificate thumbprint of the inaccessible files lists my name (neelakantan@laptop) as the owner with all permissions; but i am denied the access; i tried to login as administrator (through safeboot) and also tried to provide full access to everyuser; still "access denied" pops up.

    i created a new file and checked its certificate hash; it is different from the one listed for inaccessible files; i ran a file recovery to recover the old certifcates and keys and obtained the old private key and master key;

    using them with ELCOMsoft's EFS data recovery theoretically redecrypts files (it lists all 245 files are decryptable); but when i open the decrypt file, they have garbage at regular intervals; i checked with a hex editor and found that 16bytes at every 512byte is not decrypted or garbaged; this results in ppt and xl files not opening and the doc files coming with garbage.

    how to get access to the old files and remove the new keys and restore the old ones?

    neelakantan
    neelakantanr, Dec 22, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Harris
    Replies:
    2
    Views:
    21,795
  2. Allen

    Can you encrypt and decrypt CDs and CDRWs ?

    Allen, Oct 20, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    660
    Allen
    Oct 20, 2004
  3. RQ
    Replies:
    0
    Views:
    661
  4. Bruce

    Shrink/Decrypt Order

    Bruce, Feb 10, 2005, in forum: DVD Video
    Replies:
    4
    Views:
    3,491
    Bill Vermillion
    Feb 14, 2005
  5. oldgrey

    Decrypt Capote

    oldgrey, May 6, 2006, in forum: DVD Video
    Replies:
    1
    Views:
    479
    Richard C.
    May 7, 2006
Loading...

Share This Page