Is it possible to decrypt EFS files without backup certificate

Discussion in 'Windows Vista Security' started by sunorain, Oct 26, 2009.

  1. sunorain

    sunorain Guest

    A PC had Vista installed and one folder was encrypted by OS. This folder had
    some thousand or so files.

    Then Vista was reinstalled, with most old system files (including "Windows",
    "Users" and "Documents" folders) deleted before reinstallation. Encrypted
    folder left intact on HDD.

    Is it possible to get files from encrypted folder somehow decrypted under
    newly installed copy of Windows?

    Username and password for Windows account used to encrypt folder are known.

    Utilities like Elsomsoft's EFS recovery could not do much - when account
    password have been supplied utility said that it can decrypt about 90 files
    in total with no hint on why specifically these files can be decrypted and not
    others.

    (microsoft.public.security, microsoft.public.win2000.security,
    microsoft.public.security.homeusers, microsoft.public.windows.file_system,
    microsoft.public.windows.vista.security)
     
    sunorain, Oct 26, 2009
    #1
    1. Advertisements

  2. Without a backup of the EFS certificate your files are lost.

    John
     
    John John - MVP, Oct 26, 2009
    #2
    1. Advertisements

  3. sunorain

    Andy Medina Guest

    In the meantime, the OP left to post elsewhere where the conduct was less of
    a grade school playground brawl.

    statrted a good cat fight.....

    "He started it"

    "I did not, you did"

    "No, you did."

    ad infinitum......
     
    Andy Medina, Nov 8, 2009
    #3
  4. sunorain

    MEB Guest

    Yep, certainly did that, didn't it. Think it was a Usenet "drive-by"
    post... or was it possibly related to the "can't be done, don't bother
    even trying", wherein everyone has the ability to post their purported
    prior experience levels upon challenge... I always get a kick out of
    Usenet, but it is reflective of society in general. These same
    activities have been carried over into other areas, such as blogs and
    "social networking" activities.
     
    MEB, Nov 8, 2009
    #4
  5. sunorain

    Peter Guest

    What an egotistical troll you are! The problem isn't with the others it is
    with YOU! You are the one who did the "drive-by" post. You gave no useful
    advice at all, the only thing that you did is show your vitriolic
    personality and ignorance, and you have plenty of that to go 'round!

    Let me add my voice to this, I've "been there, done that" and I've learned
    the hard way. I'm one of those who lost files because I didn't know any
    better and I didn't backup my certificate, without the certificate the file
    are lost. You're wasting everybody's time with your less than helpful
    posts.
     
    Peter, Nov 8, 2009
    #5
  6. sunorain,

    I have empathy for your post and what it has been turned into. I did find a
    fine example of what it basically has become...

    http://video.google.com/videoplay?docid=-4784409600367252507

    Hopefully it serves more purpose than the back-and-forth your conversation
    has become - at least make you smile/laugh - *grin*

    Direct answer...

    In general - if you have no backup of your encryption key/cert and/or backup
    of your old hard disk drive contents (full image) so you might revert to it
    and regain said information and back it up this time - your files/folders in
    the EFS are likely (for all intents and purposes) lost to you.

    It sucks - but it is why people are encouraged to make good backups.

    Might you be able to get something back? Sure - anything is possible - but
    you'd have to let everyone know what backups you have, if you have an image
    of the hard disk drive before the problems, etc. However - assuming you
    would have mentioned that - recovery is unlikely - even if you throw a lot
    of money at the issue.
     
    Shenan Stanley, Nov 10, 2009
    #6
  7. sunorain

    MEB Guest

    Okay, at LEAST add there are some really good [some free] disk recovery
    programs that could be tried. What can it hurt... it would take less
    than twenty or thirty minutes to check including download time... heck,
    even something like Hiren's or Knoppix Live could potentially be used.
    This was an old [apparently as there are a few thousand files involved]
    large installation with a SMALLER new installation placed, why not check...

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Nov 10, 2009
    #7
  8. Given what the original poster has, ("... Vista was reinstalled, with most
    old system files (including "Windows",
    "Users" and "Documents" folders) deleted before reinstallation ..."), the
    chances are very slim indeed - also - considering this has gone on for two
    weeks now (14 days since their original posting) it is likely they have
    utilized the machine pretty well at this point - slimming the possibilities
    even more of recovering anything - much less anything that might help them.

    However - why didn't you? Instead of suggesting someone suggest something -
    suggest - with details. ;-)

    Would it have been hard to do this:

    Recuva
    http://www.piriform.com/recuva

    Restoration
    http://www.snapfiles.com/get/restoration.html

    Undelete
    http://www.diskeeper.com/undelete/undelete.aspx

    Use any of those with the Ultimate Boot CD for Windows:
    http://www.ubcd4win.com/

    However - without the DRA or backed up private key and given this was a
    stand-alone machine - likely still a wash. Backups - the only true solution
    to data loss. Data loss - usually the most well-listened-to teacher
    avocating backups - if only those listening now had listened to the masses
    days/weeks/years before. ;-)

    It being Vista - this is of little help:
    http://www.beginningtoseethelight.org/efsrecovery/
    .... not to mention, likely over the head of anyone who did not bother to
    make backups of their important files. ;-)

    When you add to that the facts given that things like this:
    http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf
    .... only had limited - unbelievably limited - success; things aren't looking
    just bleak, but downright dark and dead quiet.

    They can try all that - if they want - but even though they did not backup
    the data and use best practices for EFS (showing thwey may not have
    understaood what they were doing) they did mention some things they have
    tried leading one to think they did their research and probably thought
    about some (if not all) of this long ago - and if they had success or not -
    we are likely to never know. No success - what incentive do they have to
    report back they fail? Success - they will likely feel like they did it on
    their own (and would likely be right given the paths this conversation took)
    and they have nothing to say to anyone here. ;-)
     
    Shenan Stanley, Nov 10, 2009
    #8
  9. sunorain

    MEB Guest

    And I would agree, when posted 10/26/09, simple recovery methods SHOULD
    have been the *first* suggestions, taking the disk out of usage, and
    other. INSTEAD those answering went off on the thought of
    CRACKING/HACKING the actual files, to the point of a ridiculous
    discussion of Super Computers.

    I entered the discussion on 11/4/09 [around 8-9 days later], seeing NO
    ONE had even suggested anything remotely like would have been applied
    under these or other circumstances and situations, attempted file
    recovery; and where NO ONE had submitted anything regarding methods or
    tools, Microsoft or otherwise. The apparent though was impossible to
    recover, where in ANY other file deletion or related disk issue the
    IMMEDIATE response would or should have been as indicated, attempted
    recovery.
    When I suggest that there were other methods and provided links to
    materials including Microsoft Articles and tools, they were received
    with disdain BY supposed MVPs. Excuse me, these are tools and
    information related to the activity. They DO provide the "best
    practices" and tools for particular situations regarding EFS, don't they.
    When I addressed other potentials such as beginningtoseethelight, which
    shows indicators to the information sought should hex recovery or
    modification be needed, I received some of the most ignorant junk
    possible, AGAIN from MVPs. This is SUPPOSEDLY a group with experts. With
    indicators available, there was another potential recovery method, if
    necessary.
    We aren't discussing cracking/hacking encrypted files, it was the
    potential DATA recovery that might have been useful to the OP. It was
    also the tools available, and potential methods for others who might
    find this discussion.


    Now, why don't YOU might explain why YOU didn't step in IMMEDIATELY
    with suggested recovery methods, and WHY none of the other MVPs did.
    That would be real interesting I'm sure.

    While you're at it, explain why they STILL don't get it.

    You can sit smugly at your computer in here all day long and say it
    *might* have been impossible to recovery, it as good an excuse as any
    now; but IT DANG SURE IS NOW because NONE of you even tried. NONE of you
    suggested anything of value.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Nov 10, 2009
    #9
  10. <snip>
    Easy there, MEB.

    Why do you think I (or anyone here) owe you (someone I don't know)
    information about me (someone you don't know) and where I was or why I
    do/don't/didn't/did do something?

    Same question to you - why didn't you step in immediately on day one with
    your suggestions?

    Likely the same answer for both. Volunteer, not paid to do this, have a
    life, doing something else, can't be everywhere at once and nunya...

    You can think people are being smug all you want - they are not - they are
    being where they can/want to be when they can when they want to be. They
    answer how they want, with what they want.

    There is no *you* here - this is a PEER-to-PEER newsgroup - you are the same
    as anyone else here. You are a PEER.

    Said it before, looks like I have to say it again. I volunteer my
    experience and knowledge - volunteer above and beyond my normal life and
    career. I get to say what I want when I want to say it. If Microsoft
    disappeared tomorrow - it would mean very little in terms of what I do.
    Initials mean little - it's what you make of it. I did it long before I
    received any initials for doing it and would likely still do it without the
    initials (although I am considering not doing it anymore because people seem
    to *expect* things they shouldn't.)

    Your comments were late just as some others were and did very little to help
    the situation when you decided that instead of ignoring those who decided to
    buck what you were saying - you'd feed on them and them on you and make this
    entire conversation into garbage that was of no use to the OP and wasn't
    even a logical discussion, but a "No, YOU!" shouting match.

    One problem is you never know what the reaction will be from people. I have
    been involved in postings where it seemed like the person had tried nothing,
    but was just honestly asking for assistance. I listed all the simple things
    to try and some more advanced things to try in excruciating detail - in
    hopes that something might help them. What was the reaction? They bit my
    head off for treating them like a child, for not assuming they had done all
    the simple stuff, going as far as calling me names.

    It's a volunteer based newsgroup (forum) - if you don't like what someone
    says or don't want to get involved - you don't have to. If you want to stop
    at any point being involved, do so. And sure - you can call people names,
    troll, chide people into responding, dance around the topic, be the holy
    zealot in the right/wrong side, be the jester or be the true fool - all that
    is a free for all as well. What you do here *is* your choice. When you do
    things here *is* your choice.

    Don't expect - however - anything. It's not your 'right', especially not
    here. You voluntarily answer and are no different than anyone else here -
    no matter what value you want to put into what initials you see.

    I knew someone once that started putting initials at the end of their name
    many years back. People, strangely - started treating them with more
    respect, etc. The letters added were "RNG" <- they meant 'Really Nice Guy',
    but no one ever asked - they just assumed some importance came with them. I
    would suggest never being that unwise.


    But - I will return to the subject at hand - as it should always end up
    doing...


    The truth is - given what the OP did - I fully believe they would have been
    unsuccessful in their attempts - no matter what was suggested within minutes
    of their original posting.

    They didn't make backups (if they did, they did not mention any), they
    didn't understand EFS (or they wouldn't have just 'moved' the EFS folders
    somewhere else thinking they could unencrypt them later without following
    the well documented best practices of backing up the private key or making a
    DRA) and they had attempted to fix it themselves with research (they
    mentioned methods I don't believe they knew beforehand - since if they knew
    of the methods, they would be unlikely to have risked their data on the
    off-chance those methods would work for them.)

    All of this could easily been deduced from the original posting and I
    perfectly well understand why the reaction was what it was for the most
    part. Logical progression from the given information. All that could be
    done otherwise is ask for more information - and many times that just gets
    "Just answer the question" responses and "Why do you need to know all that"
    responses and the likes.
     
    Shenan Stanley, Nov 10, 2009
    #10
  11. sunorain

    MEB Guest

    Wow, I really needed that explanation. Sorry, at this point my
    tolerance is low..
    Deduced by whom,, my immediate reaction WAS to proceed with the
    recovery tools and methods in the discussion to dispel the incredible
    lack of anything relevant to the issue and other similar situations.
    You just change yours to another excuse, you "fully believe"... that's
    fine. That still doesn't address the potential recovery and THAT was the
    most important element. Unless one tries, then everything else is just
    fluff, excuses, and failure, because you DON'T KNOW for sure, do you.
    GUESSING, isn't productive when someones potentially irreplaceable
    files are at stake. So NO your answer does not suit the issue nor the
    matter as posted. Its just another excuse. The LOGICAL progression is to
    stop usage IMMEDIATELY, and then make an effort to see what options
    might be available.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Nov 10, 2009
    #11
  12. sunorain

    Andy Medina Guest

    Energy is still being wasted on this?
    Just 'killfile' the thread.

    that can no longer be decrypted.

    *plonk*
     
    Andy Medina, Nov 11, 2009
    #12
  13. Here is another case where the authorities can not break into an encrypted
    device without the keys.

    For all of those of you who say it can be done - hogwash!
     
    Richard Urban, Nov 25, 2009
    #13
  14. The strength of encryption is quantified by "how long" it can be
    expected to remain secure, not that it cannot be broken.
     
    FromTheRafters, Nov 25, 2009
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.