How to decrypt EFS-protected restored files?

Discussion in 'Computer Security' started by *Vanguard*, May 8, 2004.

  1. *Vanguard*

    *Vanguard* Guest

    I had a directory configured to use EFS (so anything put under it got
    encrypted). I export my EFS certificate to a floppy. My system crashed and
    a disk image wouldn't work (because of changes in the hardware). However, I
    could still use the ImageExplorer that comes with DriveImage to peruse the
    contents of the image files to extract files out of them. So I've tried the

    - Extracted the files from disk image. Cannot view them because of the EFS
    protection. Imported the EFS certificate used when the files got encrypted.
    It was imported under the Personal store for certificates. Could not open
    the files.

    - Deleted the EFS certificate and re-imported it but this time left the
    option selected to have Windows XP automatically determine under which
    certificate store to place the certificate. It imported it to the Trusted
    People certificate store. Still couldn't access the encrypted files.

    - Figuring that EFS had not yet been implemented on my new install and that
    maybe the imported EFS certificate would not get exercised until EFS was
    used, I right-clicked on a folder and had it encrypted. Then I copied the
    files to under this directory figuring that the certificate might also have
    to be imported before moving the files into an EFS-protected directory.
    Still cannot access the file contents.

    I've read several KB articles and the included help but it really never
    describes the steps in restoring EFS-protected files, the order of importing
    the EFS certificate (before or after the files have been restored to the new
    instance of Windows), or if importing the EFS certificate after restoring
    the files (or before) would allow access to them (or if I also need to
    actually implement EFS to have it utilize the imported certificate). I see
    mention of how use EFS, export certificates, manage them, import them, and
    some vague inferences in using them against encrypted files but no real
    instructions. After a few hours, I've exhausted what I could come up for a
    procedure to decrypt these files. Any ideas?
    *Vanguard*, May 8, 2004
    1. Advertisements

  2. *Vanguard*

    karen Guest

    One thing you can try is to import your certificate to another computer
    running XP Pro and copy your encrypted files to that computer and you should
    be able to view them. It doesn't fix your problem but at least you should be
    able to recover your files.
    karen, May 9, 2004
    1. Advertisements

  3. *Vanguard*

    *Vanguard* Guest

    karen said in news:[email protected]:
    That's basically what happened. My current instance of Windows became
    unusable due to a hardware change and some corruption. It was about time
    for a cleanup so I did a fresh install (so that is the other computer to
    which you refer). I then imported the EFS certicate that had been
    previously exported onto a floppy from the original instance of Windows.
    Then I recovered the files.

    I can get the data files. That is not a problem. I save disk images using
    DriveImage 2002 and it has its ImageExplorer to let you yank out individual
    files. So in a fresh install of Windows XP Pro, I imported the old EFS
    certificiate from the floppy and recovered the files from the drive image
    fileset. Yet I cannot get into the files. Any attempt to read one of the
    EFS-protected files results in "access denied" (and I checked the
    permissions which are okay).

    When I recovered the encrypted files using ImageExplorer to yank them from
    the disk image backup, I simply put them into a directory. Got the access
    denied error. Figuring that maybe the EFS certificate would not get applied
    unless the files were actually under an EFS-enabled folder (since I didn't
    want to individually set EFS on all the files), I configured their holding
    directory to enable EFS (so the EFS certificates would get applied).

    Summary. Was running Windows XP Pro SP-1. Was using EFS. Exported the EFS
    certificates to floppy (for both the user account that was using EFS and
    Administrator which had been designated a recovery agent). Had disk images
    for backups. Can use ImageExplorer to extract individual files from the
    disk images. Did a fresh install of Windows XP. Imported the EFS
    certificates. Pulled the old data files out of the disk image backup.
    Cannot access their contents (i.e., cannot read them).
    *Vanguard*, May 10, 2004
  4. *Vanguard*

    karen Guest

    It could be in the sequence you used. Importing your certificate before you
    had encrypted any files on your new installation.

    The individual file names of your encrypted files are still readable? I
    would try creating a new administrator account, encrpyt a file which of
    course would create a new certificate then import your backed up
    certificate. Next copy one encrypted text file to your desktop for example
    and see if you are still denied access.
    karen, May 11, 2004
  5. *Vanguard*

    *Vanguard* Guest

    karen said in news:[email protected]:
    Thanks for the hint. At this point, I cannot remember if I had already
    created an EFS certificate (a new one) on my new Windows XP install before
    yanking the encrypted files from the disk image fileset. The individual
    filenames were always readable. When I realized that I had not yet used EFS
    in the new install (so there were no EFS certificates yet created), I
    deleted the imported certificates, I created an EFS-protected folder which
    gave me the new EFS certificate, I re-imported the old certificates, and
    then tried to yank the files while putting them under the EFS-protected
    folder. Didn't work.

    At this point, I've run out of time to expend on this and need to get back
    to real work. Nothing was stored in the EFS-protected folder that couldn't
    be rebuilt or retrieved from other media. I had my user-created files under
    the folder on backup tape and which had been saved before EFS had been
    applied to the folder (so the data files on tape were not encrypted). The
    other-sourced data files were on other CDs (not encrypted). So I think I've
    got back all my data files but now I'm a bit gun shy on employing EFS on the
    data folder. Would have been much easier, faster, and reassuring if the
    cert import and file retrieve had worked right. I'm wondering at this point
    if maybe yanking individual files out of a disk image won't work for EFS
    protected files. I recall the same scenario a couple years back under
    Windows 2000 which did work when I retrieved the encrypted files from a tape
    backup (which is a logical backup that actually reads the files rather than
    a physical backup using a disk image that records the data in sectors). For
    as slow as is ImageExplorer at yanking out 20,000+ files under a directory
    when rebuilding logical files from the physical sector data, I'll use tape
    from now on and keep the disk images only for disaster recovery to rebuild
    the entire partition (if it still works since significant hardware changes
    seems to render them unusable). Extracting thousands of files using
    ImageExplorer took hours to run. A tape restore would be faster. I've done
    the EFS file recovery before (but under Windows 2000 instead of Windows XP)
    and it worked, so the only significant difference this time was yanking
    files from a disk image rather than pulling them off tape.
    *Vanguard*, May 11, 2004
  6. *Vanguard*


    Jul 23, 2007
    Likes Received:
    ACCESS DENIED in NTFS files;

    i have a laptop winxp-pro sp2 with a fat32 partition (system root) and another partition for secured data; essentially some xl files, jpg files, some ppt and proposal files.

    the secured file system was working well with no problem till a week back when i thought of using IE7( i am not sure ie7 is the culprit); i loaded ie7 restarted the machine; the fat partition is visible and accessible; NTFS partition, files are visibily listed but on opening, "Access Denied" pops up;

    i am the single user (so obviously with administrator rights) of the laptop (no password used for login).

    i checked and found the certificate thumbprint of the inaccessible files lists my name ([email protected]) as the owner with all permissions; but i am denied the access; i tried to login as administrator (through safeboot) and also tried to provide full access to everyuser; still "access denied" pops up.

    i created a new file and checked its certificate hash; it is different from the one listed for inaccessible files; i ran a file recovery to recover the old certifcates and keys and obtained the old private key and master key;

    using them with ELCOMsoft's EFS data recovery theoretically redecrypts files (it lists all 245 files are decryptable); but when i open the decrypt file, they have garbage at regular intervals; i checked with a hex editor and found that 16bytes at every 512byte is not decrypted or garbaged; this results in ppt and xl files not opening and the doc files coming with garbage.

    how to get access to the old files and remove the new keys and restore the old ones?

    neelakantanr, Dec 22, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.