Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is it possible to decrypt EFS files without backup certificate

1,768 views
Skip to first unread message

sunorain

unread,
Oct 26, 2009, 9:25:01 AM10/26/09
to

A PC had Vista installed and one folder was encrypted by OS. This folder had
some thousand or so files.

Then Vista was reinstalled, with most old system files (including "Windows",
"Users" and "Documents" folders) deleted before reinstallation. Encrypted
folder left intact on HDD.

Is it possible to get files from encrypted folder somehow decrypted under
newly installed copy of Windows?

Username and password for Windows account used to encrypt folder are known.

Utilities like Elsomsoft's EFS recovery could not do much - when account
password have been supplied utility said that it can decrypt about 90 files
in total with no hint on why specifically these files can be decrypted and not
others.

(microsoft.public.security, microsoft.public.win2000.security,
microsoft.public.security.homeusers, microsoft.public.windows.file_system,
microsoft.public.windows.vista.security)

John John - MVP

unread,
Oct 26, 2009, 10:22:10 AM10/26/09
to
Without a backup of the EFS certificate your files are lost.

John

Unknown

unread,
Nov 3, 2009, 11:20:01 AM11/3/09
to
That is not true.

There maybe no software available to the public, but those files are
crack-able by Microsoft, Hard Drive Data recovery companies, and the
government.

> .
>

John John - MVP

unread,
Nov 3, 2009, 11:41:30 AM11/3/09
to
None *one* data recovery company who can recover encrypted files without
the EFS certificate.

John

Richard Urban

unread,
Nov 3, 2009, 11:41:49 AM11/3/09
to
Not true

Just recently there was a case of a child pornographer who was released
because he would not decrypt a hard drive for the prosecution. Do you not
think that under these circumstances that if it could be done - it would
have been done?

--

Richard Urban
Microsoft MVP
Windows Desktop Experience & Security


";-)" <;-)@discussions.microsoft.com> wrote in message
news:AC4474AE-EA20-4BFA...@microsoft.com...

@nomail.afraid.org FromTheRafters

unread,
Nov 3, 2009, 8:34:39 PM11/3/09
to
Sure, it *can* be done. With enough computing power, and enough time.
Therein lies the rub.

"Richard Urban" <richardurba...@hotmail.com> wrote in message
news:uOp%23LSKXK...@TK2MSFTNGP04.phx.gbl...

Richard Urban

unread,
Nov 4, 2009, 10:11:39 AM11/4/09
to

Give it to a super computer for a few years!

--

Richard Urban
Microsoft MVP
Windows Desktop Experience & Security


"FromTheRafters" <erratic @nomail.afraid.org> wrote in message
news:O5eW77OX...@TK2MSFTNGP04.phx.gbl...

Andy Medina

unread,
Nov 4, 2009, 12:20:51 PM11/4/09
to
And he gets to foot the supercomputer's utility bills for those few years.
:D
Maybe something like the SETI@home thing might do it a bit faster.

"Richard Urban" <richardurba...@hotmail.com> wrote in message

news:%23t83dEW...@TK2MSFTNGP05.phx.gbl...

MEB

unread,
Nov 4, 2009, 1:37:05 PM11/4/09
to
Richard Urban wrote:
> Give it to a super computer for a few years!
>

Uhm, this type of additional base security apparently relies upon other
aspects within the system and/or network, such as: strong user and
administration passwords; caching of credentials; IPSec; domain aspects;
DRA; and other system and network activities, found/used in conjunction
with it [I won't directly include hack tools], for the discussion.

Some related and/or historical information might be valuable:

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html

Re: looking for EFS weaknesses
http://lists.virus.org/forensics-0306/msg00005.html

Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
System (EFS)
http://technet.microsoft.com/en-us/library/cc749962.aspx

Default SYSKEY configuration compromises encrypting file system 13 May 2000
http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

Windows 2000 Known Vulnerabilities and Their Fixes - PDF
http://www.sans.org/reading_room/whitepapers/win2k/windows_2000_known_vulnerabilities_and_their_fixes_185

EFS and File Recovery
http://www.informit.com/articles/article.aspx?p=19486

Methods for Recovering Encrypted Data Files
http://support.microsoft.com/kb/255742

Data Protection and Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb457020.aspx

Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx

How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

EFS File Recovery - Asia Supplement
http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx

How to recover EFS encrypted file
http://www.petri.co.il/forums/showthread.php?t=1609

Vista Tutorial - Encrypted File System (EFS) Certificate Restore
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html

encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/

Encrypting File System
http://en.wikipedia.org/wiki/Encrypting_File_System

*What the OP apparently tried:
Advanced EFS Data Recovery
http://www.elcomsoft.com/aefsdr.html
Advantages and Disadvantages of EFS and effective recovery of encrypted
data [Whitepaper] - PDF
http://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.pdf
[Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
data when it gets lost.
http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

MEB

unread,
Nov 4, 2009, 9:59:32 PM11/4/09
to
John John - MVP wrote:
> None *one* data recovery company who can recover encrypted files without
> the EFS certificate.
>
> John
>
> ;-) wrote:
>> That is not true.
>> There maybe no software available to the public, but those files are
>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>> government.
>>

I think what was being alluded too, in part, was the know activities
presently occurring between Microsoft and Law enforcement, such as:

Microsoft and National White Collar Crime Center Make Digital Forensics
Tool Available to U.S. Law Enforcement Agencies
http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx

Microsoft denies handing law enforcement ‘backdoor’ keys
http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-keys/

>>
>>
>> "John John - MVP" wrote:
>>
>>> Without a backup of the EFS certificate your files are lost.
>>>
>>> John
>>>
>>> sunorain wrote:
>>>> A PC had Vista installed and one folder was encrypted by OS. This
>>>> folder had some thousand or so files.
>>>>
>>>> Then Vista was reinstalled, with most old system files (including
>>>> "Windows", "Users" and "Documents" folders) deleted before
>>>> reinstallation. Encrypted folder left intact on HDD.
>>>>
>>>> Is it possible to get files from encrypted folder somehow decrypted
>>>> under newly installed copy of Windows?
>>>>
>>>> Username and password for Windows account used to encrypt folder are
>>>> known.
>>>>
>>>> Utilities like Elsomsoft's EFS recovery could not do much - when
>>>> account password have been supplied utility said that it can decrypt
>>>> about 90 files in total with no hint on why specifically these files
>>>> can be decrypted and not
>>>> others.
>>>>
>>>> (microsoft.public.security, microsoft.public.win2000.security,
>>>> microsoft.public.security.homeusers,
>>>> microsoft.public.windows.file_system,
>>>> microsoft.public.windows.vista.security)
>>> .
>>>

--

David H. Lipman

unread,
Nov 4, 2009, 10:34:18 PM11/4/09
to
From: "MEB" <MEB-no...@hotmail.com>

| John John - MVP wrote:
>> None *one* data recovery company who can recover encrypted files without
>> the EFS certificate.

>> John

>> ;-) wrote:
>>> That is not true.
>>> There maybe no software available to the public, but those files are
>>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>>> government.


| I think what was being alluded too, in part, was the know activities
| presently occurring between Microsoft and Law enforcement, such as:

| Microsoft and National White Collar Crime Center Make Digital Forensics
| Tool Available to U.S. Law Enforcement Agencies
| http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx

| Microsoft denies handing law enforcement �backdoor� keys
| http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-
| keys/


Wouldn't surprise me as there have always been the rumours of the NSA OS backdoor.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


MEB

unread,
Nov 5, 2009, 12:51:09 AM11/5/09
to
David H. Lipman wrote:
> From: "MEB" <MEB-no...@hotmail.com>
>
> | John John - MVP wrote:
>>> None *one* data recovery company who can recover encrypted files without
>>> the EFS certificate.
>
>>> John
>
>>> ;-) wrote:
>>>> That is not true.
>>>> There maybe no software available to the public, but those files are
>>>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>>>> government.
>
>
> | I think what was being alluded too, in part, was the know activities
> | presently occurring between Microsoft and Law enforcement, such as:
>
> | Microsoft and National White Collar Crime Center Make Digital Forensics
> | Tool Available to U.S. Law Enforcement Agencies
> | http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx
>
> | Microsoft denies handing law enforcement ‘backdoor’ keys
> | http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-
> | keys/
>
>
>
>
> Wouldn't surprise me as there have always been the rumours of the NSA OS backdoor.
>

And that's essentially the purported problem, there are so many
unknowns involved that speculation runs wild in some circles.

What we do know is questionable enough, such as:

the EFS recovery tool {once} offered via paid support;

You cannot remotely access encrypted files after you upgrade a Windows
Server 2003 file server to Windows Server 2008
http://support.microsoft.com/kb/948690
Post Upgrade EFS Recovery Tool 1.0 (KB948690)
http://www.microsoft.com/downloads/details.aspx?FamilyID=FD786261-D278-40DB-BAF8-70F42D786223&displaylang=en
;

the previously linked Tool for Law Enforcement [actually a set of tools
included within the offered "tool"], and some others mentioned elsewhere
on the Internet [many without supporting documentation, but would there
be, I mean really].
So it can be difficult wading through the actualities of it all when
weighed against know variables and potentials.

Even the discussions which address the linked Tool and suggest
unplugging, fail to understand the information is still there, just a
bit harder to recover. The application of proper forensic tools and
methodology can likely recover whatever materials anyway, by someone
specialized within the field [example: the link to
beginningtoseethelight in my other post today in this discussion].

How far one wishes to go with this on one side or the other, really
doesn't matter, as the really IMPORTANT understanding should be that
security, generally, is designed more for *external*
activities/protection; and is only as secure, locally, as the
network/computers involved [leaving hardware "lock-like" activities not
addressed].
That many/most users fail to understand the relationship between the
hardware involved [such as in this discussion and forensic hard drive
analysis, or WiFi encryption, or whatever] tends to lead to
misconceptions and faulty conclusions. It is all data after all and the
more it travels through the OS, like the NTs and somewhat Linux, or
broadcast over the air, the more tracks it leaves; meaning the more
chances for discovery/recover/hack/whatever; and that just takes a bit
of common sense. Moreover, should one need to do so, look at the
filing/storage systems themselves and what they contain and how they
function {such as indexing, journaling, etc.}; or the TCP/IP protocol,
or the wireless standards, or whatever applies. [Sorry, I drifted a bit.]

So are there "backdoors", the answer would be maybe, perhaps even
likely; we do have the implementation of numerous other like activities
from "On Star", the V-Chip technologies, DIRT, Carnivore, the Tool, and
several others to look at. Do these really matter though... think of the
commonly used cell phone and its data and abilities, and that it can be
hacked... but again, how far do you go and why, what's the purpose in
today's electronic and connected world. The only way to stop this now
[if one has issues with these activities] means reverting to the world
of our grandfather's.

David H. Lipman

unread,
Nov 5, 2009, 7:30:40 PM11/5/09
to
From: "MEB" <MEB-no...@hotmail.com>

>>>> John

Carnovore isn't a "Backdoor".
It is a combination of protocol sniffer and remote access system to be placed, under
warrant, at an ISP.

MEB

unread,
Nov 5, 2009, 8:41:36 PM11/5/09
to

Hmm, okay, you are right in the purest sense, it isn't technically a
backdoor as in directly installed or hard coded, but certainly a
backdoor [or perhaps more a trapdoor] to user activities.

http://en.wikipedia.org/wiki/Carnivore_%28software%29
http://peoplescounsel.org/ref/carnivore.htm
http://peoplescounsel.org/dirt.htm

I'm not so sure where the technologies and activities actually ended up
after implementation of the U.S. Patriot Act and like so-called
anti-terrorist Laws around the world. We have seen some rather
disquieting disclosures regarding activities done under guise of these
Laws. You have to remember these are now supposedly classified as
Secret, e.g., related to national/international defense/security
[warrants generally issued by the special courts and/or hearings]. And
here in the US, we won't know much about this activity for another 9
years or so, since the last administration made sure to pass
re-authorization prior to losing office and control.

Moreover, my reference was directed more towards the activities
[monitoring, government programs, Microsoft tools, misconceptions,
recovery techniques, etc.] in general relationship to the hard coded
"backdoors" that worry so many and perhaps rightly so if they exist.

But I think we've now drifted away from the EFS recovery issue.

John John - MVP

unread,
Nov 7, 2009, 8:04:39 AM11/7/09
to
MEB wrote:

> What we do know is questionable enough, such as:
>
> the EFS recovery tool {once} offered via paid support;
>
> You cannot remotely access encrypted files after you upgrade a Windows
> Server 2003 file server to Windows Server 2008
> http://support.microsoft.com/kb/948690
> Post Upgrade EFS Recovery Tool 1.0 (KB948690)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=FD786261-D278-40DB-BAF8-70F42D786223&displaylang=en

That has absolutely *nothing* to do with recovery of encrypted files
without the EFS certificate, this tool simply recovers the special user
profiles that are not properly migrated under specific circumstances.

John

John John - MVP

unread,
Nov 7, 2009, 8:15:50 AM11/7/09
to
MEB wrote:
> John John - MVP wrote:
>> None *one* data recovery company who can recover encrypted files without
>> the EFS certificate.
>>
>> John
>>
>> ;-) wrote:
>>> That is not true.
>>> There maybe no software available to the public, but those files are
>>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>>> government.
>>>
>
> I think what was being alluded too, in part, was the know activities
> presently occurring between Microsoft and Law enforcement, such as:
>
> Microsoft and National White Collar Crime Center Make Digital Forensics
> Tool Available to U.S. Law Enforcement Agencies
> http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx
>
> Microsoft denies handing law enforcement ‘backdoor’ keys
> http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-keys/

Members of the British government were blabbering about not being able
to decrypt BitLocked files... until someone reminded them that the very
thing that they were asking for would make *their* own encrypted files
accessible to any foreign entity who had such tools. Strangely enough
at that point the blabbering stopped...

John

John John - MVP

unread,
Nov 7, 2009, 9:25:04 AM11/7/09
to


None of the above deals with recovering encrypted files *without* the
EFS certificate. These discussions and tools simply deal with known
"best practices" when using EFS and how to use the Recovery Agent or
backup copies of the certificate to regain access to encrypted files.
Other discussions and tools deal with recovery of the certificate (not
files) on failing drives or on Windows installations that fail to start
or recovery of certificates deleted by user error. I think that the
bottom line is that maybe cryptologists with supercomputing power and
ample time might be able to recover these files but in reality without
the certificate for all intents and purposes the files are lost.

It is true that I could walk on the moon, but in reality it is most
unlikely that I ever will, the same goes for most all of us having any
hope of recovering encrypted files without the certificate, unless the
OP can recover his EFS certificate he has truly lost his encrypted files.

John

MEB

unread,
Nov 7, 2009, 3:48:35 PM11/7/09
to
John John - MVP wrote:

That doesn't even earn a response other than this...

MEB

unread,
Nov 7, 2009, 3:49:02 PM11/7/09
to
John John - MVP wrote:

What's the problem here.
These are examples regarding recover generally. So yes, these do have
relevance in a discussion wherein recovery techniques are at hand.
The linked beginnintoseethelight materials address yet another avenue
of approach, and there are other methods depending upon what may be
available on the disk or device using specialized tools for the task.

Or is this the typical Usenet activity wherein, because an individual
post does not contain all elements [having been address elsewhere in the
Discussion], this is somehow supposedly false or not related... ignoring
or misstating the rest of the elements discussed within the discussion.
Don't start this junk... or is it that you are having difficulties
holding the entire discussion in mind... if so, you might want to
refresh your memory [perhaps "star" or otherwise note key elements]
before you post.

Per your British government stuff, yes, there WOULD be a problem with
"PUBLICLY" available tools. That doesn't guarantee there are not tools
[legal or otherwise] available.

John John - MVP

unread,
Nov 7, 2009, 5:10:17 PM11/7/09
to

I eagerly await your instructions to see how you will help the OP
recover his encrypted files without the EFS certificate.

John

MEB

unread,
Nov 7, 2009, 5:48:03 PM11/7/09
to

Some of the methodology involved was defined within the
beginningtoseethelight materials [which leads the curious to look for
more].. and I'm certainly not going to walk anyone through it, nor
supply more than what I have, I don't help hackers in these groups [and
not saying the querier was a hacker]...

So this appears you do want to play stupid Usenet games... find someone
else to play with. The OP wanted information if it was possible, I
supplied information and linked materials wherein, that it may be possible.

You supplied the "super computer trash", not really very helpful was it...

John John - MVP

unread,
Nov 7, 2009, 6:33:25 PM11/7/09
to

No, I told to OP the truth, without the EFS he has no realistic hope of
ever recovering his files. Other than that I simply said that I
accepted that given enough resources it may be hypothetically possible
to recover the files but that by and large these resources are not
available to many if any of us posting here. Your insisting that he may
be able to recover the files without the EFS is doing nothing to help
him, you are just sending him on a wild goose chase.

John

MEB

unread,
Nov 7, 2009, 7:52:04 PM11/7/09
to

Yeah, right, so the OP is looking for the EFS,, no, the certificate and
the methods of potential recovery, having already found:

"Utilities like Elsomsoft's EFS recovery could not do much - when
account password have been supplied utility said that it can decrypt
about 90 files in total with no hint on why specifically these files can
be decrypted and not others."

That's 90 supposedly recoverable files. So how about you explain WHY
these supposed files COULD BE RECOVERED when you claim they can't be
without the certificate.

Your response?


"Without a backup of the EFS certificate your files are lost.

John"

Nah, don't bother,, you suffer under the impression you live in a
perfect world where everything works as claimed...

I told you to actually READ the postings and linked materials.

Kerry Brown

unread,
Nov 7, 2009, 8:28:30 PM11/7/09
to
Have you ever actual tried to recover files encrypted with EFS? Have you
ever used the Elcomsoft program? I have. It uses whatever certs it can find
to decrypt the files. In most case the certs used to encrypt files may have
changed over time. As long as you are using the same install of Windows (or
an AD domain) Windows looks after which cert to use for which file. The
Elcomsoft program will scan the hard drive looking for certs and trying
them. It's pretty simple. There are many reasons why the cert may be
available for some files and not others. The most common is they were
encrypted at different times with different accounts. Some may have been
encrypted with a local account. Some may have been encrypted with an AD
account. In the end it all comes down to one simple fact: no cert - no
decryption. Trying to tell someone otherwise is not helpful. Trying to help
them recover the needed certificate(s) would be helpful. Going off on a
tinfoil hat tangent is especially unhelpful.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

MEB

unread,
Nov 7, 2009, 8:51:47 PM11/7/09
to
Kerry Brown wrote:
> Have you ever actual tried to recover files encrypted with EFS? Have you
> ever used the Elcomsoft program? I have. It uses whatever certs it can
> find to decrypt the files. In most case the certs used to encrypt files
> may have changed over time. As long as you are using the same install of
> Windows (or an AD domain) Windows looks after which cert to use for
> which file. The Elcomsoft program will scan the hard drive looking for
> certs and trying them. It's pretty simple. There are many reasons why
> the cert may be available for some files and not others. The most common
> is they were encrypted at different times with different accounts. Some
> may have been encrypted with a local account. Some may have been
> encrypted with an AD account. In the end it all comes down to one simple
> fact: no cert - no decryption. Trying to tell someone otherwise is not
> helpful. Trying to help them recover the needed certificate(s) would be
> helpful. Going off on a tinfoil hat tangent is especially unhelpful.
>

Why don't you read the linked materials at:


encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/

Take off *your tinfoil hat*, "had some thousand or so files" supposedly
at stake.. think it might be useful to look at ALL potentials... or is
this the standard Windows "frig it just wipe and re-install" or "gosh,
don't know what happened, YOU must have done something wrong" or "you
screwed up too bad for you" attitude.

Kerry Brown

unread,
Nov 7, 2009, 9:18:11 PM11/7/09
to
I've read that before. I just read it again. The key takeaway is the very
last line:

"in closing - backup your efs keys properly!!"

All of the methods the author talks about, except the very last one, involve
using the original key (certificate). The last method involves some guessing
and relying on files to be stored in a specific layout on the drive in a
specific format. The author never says that it has been done successfully.
Much of the article sounds theoretical. The author uses words like "should"
and "if" a lot.

I'll ask again. Have you ever tried any of this? Have you ever successfully
decrypted an efs encrypted file without having the key? Can you point me to
any reference that says someone has actually done this?

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

>
>

MEB

unread,
Nov 7, 2009, 10:03:10 PM11/7/09
to
Kerry Brown wrote:
> I've read that before. I just read it again. The key takeaway is the
> very last line:
>
> "in closing - backup your efs keys properly!!"
>
> All of the methods the author talks about, except the very last one,
> involve using the original key (certificate). The last method involves
> some guessing and relying on files to be stored in a specific layout on
> the drive in a specific format. The author never says that it has been
> done successfully. Much of the article sounds theoretical. The author
> uses words like "should" and "if" a lot.

It wasn't exact was it, working from the example system, and would have
been somewhat different in another, that was explained.
The disk hex file review information shows a potential recovery method.
PGP was thought unbreakable, so were numerous other encryption
techniques, many now shown as faulty. These are algorithms leaving
traces in the system. Had the disk been IMMEDIATELY taken out of service
then there were other recovery methods potentially available.

>
> I'll ask again. Have you ever tried any of this? Have you ever
> successfully decrypted an efs encrypted file without having the key? Can
> you point me to any reference that says someone has actually done this?
>

I have a better idea, you are an MVP with perhaps a better connection
to Microsoft.

Ask Microsoft to supply you with a formal hard copy, authorized and
SIGNED statement, supplying exact information that:
EFS files can not be recovered by any methods without the certificate
from a previously running system, and also as occurred in the querier's
original statement, barring the Super Computer brute force method.
Also that Microsoft has no method and/or tools which might be in
private or other hands, and knows of no others, which might accomplish
the recovery.

That would supply a final documented answer to any such questions in
the future.
Make sure to tell them you will be sending an exact copy to me [with a
copy of the envelope]. When you get the signed formal responsive
document, I will supply an address for you to send a copy of this
documentation to [which I will have verified], and we can then continue.

John John - MVP

unread,
Nov 8, 2009, 12:02:12 AM11/8/09
to
MEB wrote:

> "Utilities like Elsomsoft's EFS recovery could not do much - when
> account password have been supplied utility said that it can decrypt
> about 90 files in total with no hint on why specifically these files can
> be decrypted and not others."
>
> That's 90 supposedly recoverable files. So how about you explain WHY
> these supposed files COULD BE RECOVERED when you claim they can't be
> without the certificate.

Either the utility can find the certificate and decrypt *all* the files
or it can't find it and can't decrypt *any* of them and they want the
user to pay them to find out that the files are utterly lost. You don't
know how many certificates were used on that machine, for all that you
know the utility may have found an old certificate that was used for
test purposes, if it had found the correct certificate it would be able
to decrypt *all* of the thousand or so files that the user lost, not
just 90 of them.

> Your response?
> "Without a backup of the EFS certificate your files are lost.

YES! Absolutely! I repeat, without the certificate the files are lost!

> Nah, don't bother,, you suffer under the impression you live in a
> perfect world where everything works as claimed...

NO, unlike you, I have 10 strong years of experience with operating
systems that are EFS capable and I understand how it works. Believe
what you want but the facts are that you cannot recover these files
without the certificate!

> I told you to actually READ the postings and linked materials.

Why don't you try it for yourself, encrypt files then positively destroy
the certificate and give your utilities a try. Come back and tell us
how you made out and give us replicable proof that you recovered your
files without the certificate. All that these utilities do is try to
find the certificate.

EFS means business and many users find out the hard way that files
without certificate are history! There wouldn't be much sense in having
EFS at all if it could be circumvented by simple recovery tools. The OP
is not the first one to lose his files due to bad or negligent EFS
practices and he isn't the last one, if he can recover the certificate
he may be able to recover the files, if he can't recover the certificate
he is SOL!

John

MEB

unread,
Nov 8, 2009, 12:13:59 AM11/8/09
to
John John - MVP wrote:

Whatever, I placed a recommendation for a document from Microsoft to
another MVP, why don't the two of you work on it.

John John - MVP

unread,
Nov 8, 2009, 1:24:52 AM11/8/09
to

Maybe you should find out how encryption works. Some reading is in
order, in particular:

http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx

"One solution to help reduce the potential for stolen data is to encrypt
sensitive files by using Encrypting File System (EFS) to increase the
security of your data. Encryption is the application of a mathematical
algorithm to make data unreadable except to those users who have the
required key. EFS is a Microsoft technology that lets you encrypt data
on your computer, and control who can decrypt, or recover, the data.
When files are encrypted, user data cannot be read even if an attacker
has physical access to the computer's data storage."

"An attacker can also steal a computer, remove the hard drives, place
the drives in another system, and gain access to the stored files. Files
encrypted by EFS, however, appear as unintelligible characters when the
attacker does not have the decryption key."


How EFS Works

The following steps explain how EFS works.

1. EFS uses a public-private key pair and a per-file encryption key to
encrypt and decrypt data. When a user encrypts a file, EFS generates a
file encryption key (FEK) to encrypt the data. The FEK is encrypted with
the user’s public key, and the encrypted FEK is then stored with the file.

2. Files can be marked for encryption in a variety of ways. The user
can set the encryption attribute for a file by using Advanced Properties
for the file in My Computer, storing the file in a file folder set for
encryption, or by using the Cipher.exe command-line utility. EFS can
also be configured so that users can encrypt or decrypt a file from the
shortcut menu accessed by right-clicking the file.

3. To decrypt files, the user opens the file, removes the encryption
attribute, or decrypts the file by using the cipher command. EFS
decrypts the FEK by using the user’s private key, and then decrypts the
data by using the FEK.

If you don't have the certificate brute force would be the only way to
get to the files, guess for yourself how much time and computing power
it would take to break 128-bit encryption.

John

MEB

unread,
Nov 8, 2009, 1:34:07 AM11/8/09
to

John John - MVP wrote:
> MEB wrote:
>> John John - MVP wrote:
>>> MEB wrote:

>
> John

John John - MVP

unread,
Nov 8, 2009, 1:51:15 AM11/8/09
to
MEB wrote:

> Ask Microsoft to supply you with a formal hard copy, authorized and
> SIGNED statement, supplying exact information that:
> EFS files can not be recovered by any methods without the certificate
> from a previously running system, and also as occurred in the querier's
> original statement, barring the Super Computer brute force method.
> Also that Microsoft has no method and/or tools which might be in
> private or other hands, and knows of no others, which might accomplish
> the recovery.
>
> That would supply a final documented answer to any such questions in
> the future.
> Make sure to tell them you will be sending an exact copy to me [with a
> copy of the envelope]. When you get the signed formal responsive
> document, I will supply an address for you to send a copy of this
> documentation to [which I will have verified], and we can then continue.

I have to admit that I can be a pretty stubborn person at times but when
faced with facts I accept them and admit my error. I've eaten crow on
more than one occasion and it doesn't taste that bad.

As for you I can only say that your stubbornness and refusal to admit
that you can ever be wrong has culminated in what can only be described
as one of the most utterly idiotic attempts ever presented in these
groups by anyone trying to weasel themselves out of a tight corner!

John

MEB

unread,
Nov 8, 2009, 2:07:04 AM11/8/09
to
John John - MVP wrote:


Yeah, right, I put over a dozen friggin links to materials in this
group, you post some basic Microsoft propaganda and that explains it...

There are two MVPs now involved claiming impossibility... you and Kerry
Brown. Make an effort.. get the defined Microsoft document, authorized
and SIGNED.

David Craig

unread,
Nov 8, 2009, 2:27:54 AM11/8/09
to
You are definitely not too bright or just a troll. There is no way any
corporate lawyer would allow such a statement to be issued. It is not
unrealistic to believe that some governments may require a backdoor into any
form of encryption for it to be sold in their country. Such a restriction
would be covered by legal restrictions that would prevent any discussion by
the company who had to comply with those rules. They would also carry
significant jail time and financial penalties.

If you really want a secret to be kept don't ever commit it to anything
except memory and never share it. There are no other certainties.

"MEB" <MEB-no...@hotmail.com> wrote in message
news:e2IMZGEY...@TK2MSFTNGP06.phx.gbl...

MEB

unread,
Nov 8, 2009, 2:51:09 AM11/8/09
to
David Craig wrote:
> You are definitely not too bright or just a troll. There is no way any
> corporate lawyer would allow such a statement to be issued. It is not
> unrealistic to believe that some governments may require a backdoor into any
> form of encryption for it to be sold in their country. Such a restriction
> would be covered by legal restrictions that would prevent any discussion by
> the company who had to comply with those rules. They would also carry
> significant jail time and financial penalties.
>
> If you really want a secret to be kept don't ever commit it to anything
> except memory and never share it. There are no other certainties.

Apparently you aren't to bright, as you claim I am not.

In ONE of the links provided by me in this discussion is a tool created
by Microsoft for Law enforcement specifically designed for preliminary
recover.
Gees, what might be some of the applications on that tool. Since this
is Microsoft's implementation of Security, would Microsoft, perhaps,
understand HOW it works, WHERE the information might still be located,
and HOW to recover it.

Now if it were a simple matter of just removing the certificates, then
a simple script could and would be used to destroy those keys, and no
one would need to worry about the materials that might be found because
EFS protected them. Heck, just attach the script to a set of hotkeys and
you're done.

But that seems to leave all the journaling, indexing, data streams,
temporary areas, and other activities within NTFS un-addressed.
Moreover, since NTFS writes dang near anywhere it wishes to on the
disk, do you think that those and other areas may have some information
about what went on still there... that's a DUH moment in case you missed
it... obviously you haven't done much work with disk hex tools and other
methods.. nor are you apparently familiar with a disk using NTFS at DISK
LEVEL.

So are you a troll?
Or have you failed to take ALL potentials into consideration... I
happen to be required to do that daily...

But you are right on one point, if you want to keep a secret, keep it
to yourself with NO data trail.

David Craig

unread,
Nov 8, 2009, 4:00:49 AM11/8/09
to
I have been writing low level code since MS-DOS 1.25. I am a licensed user
of WinHex, but my job does not require me to find data on a hard drive. I
might do it for personal issues, but I have overcome most of this by doing
backups. I don't use EFS since I don't need to hide anything and I don't
need the issues associated with this, though I have considered BitLocker
under Windows 7 but I can't think of a reason to use it thus far.

Leaving work files such as how Word creates temp files in other directories
is just an issue those who care about that level of security. I was one of
the two kernel level programmers on "Watchdog - PC Data Security" in the
days of DOS. I have written FDE code, but not now. I get to write NDIS
miniports now and sometimes I get to do some peeking into the world of mass
storage and file systems. I have worked for a major security/antivirus
company in the past, but I will not be specific as to which one.

I suspect the Microsoft utility looks through various free sectors for
remnants of work files when the cops want to find evidence. If you want to
do real security for those sectors, you need a minifilter that will handle
'object-reuse' on deleted files by overwriting any deleted file. There are
utilities that can do it, but most are not done in real time with every
deletion.

BitLocker-to-go for removable USB drives such as flash memory disks, works
by doing "disk in a file" as do several other products. Any temporary files
in that 'disk' will be encrypted eliminating similar techniques unless the
page files where the file might be cached are not protected.

None of this answers the main question about recovering a EFS encrypted file
without having any way to find the certificate.

I don't really care about this, but I felt a need to post and maybe slow
down the unprofessional personal attacks. The posts were leading me to
believe that some were just 'trolling' to create conflict. Your tag line
with the 'consul' word in it was the main reason I posted since the
'requested letter' was far beyond unrealistic.

"MEB" <MEB-no...@hotmail.com> wrote in message

news:OjDVBfE...@TK2MSFTNGP06.phx.gbl...

MEB

unread,
Nov 8, 2009, 5:02:55 AM11/8/09
to

I'll start with I'm impressed if the above is true.

One more thing to think about...

Microsoft could potentially be found technically and legally liable for
creating the perfect terrorist tools, unbreakable encryption systems.
Think it has?

The letter is not unrealistic, because Microsoft will NOT produce it
due to liability, you know it as well as I do. It would REQUIRE exposing
some of its own secrets or lying about them. However, it is the ONLY
document that would mean much of anything. I would/do intend to have it
verified if it was/is produced.

Microsoft *can* and does put whatever it wants [within reason] on its
site for "general consumption" and not be openly liable, because to the
GENERAL public consumption its EFS, at present, is beyond the means of
*most* general users and usable for most general protection, as claimed.
Flaws likely exist [its Microsoft's in Microsoft's flawed systems after
all], and hackers or user improper activities could or would be blamed
for any mass exposure issues. Microsoft is in the *business* of selling
software [and hardware now], so PR, public perception, and other factors
always come into play.
For this discussion the recovery of a certificate, e.g., its data, is
what was needed. HOW that data on the disk is found is another matter.

Bitlocker - Not really familiar with it, and its likely just another
method to give users the idea they are secured. Access to the devices
causes another level of scrutiny.
The world of security is an ever changing landscape, usually several
steps behind the professional hackers... which is one reason LAYERED
security is still the recommended procedure, and physically LOCKED DOWN
[closed and physically controlled] systems are still recommended for any
true security.

BTW: That's counsel, a constitutional registered form, not a licensed
attorney nor licensed Lawyer.. and yeah the standard Usenet name
calling seems to be creeping in from the MVPs recently. Seems you were
headed that way yourself.

@nomail.afraid.org FromTheRafters

unread,
Nov 8, 2009, 7:53:14 AM11/8/09
to

"Richard Urban" <richardurba...@hotmail.com> wrote in message
news:%23t83dEW...@TK2MSFTNGP05.phx.gbl...

> Give it to a super computer for a few years!

I was thinking more than just a few years ...and many distributed
computers.

Someone might find this interesting. I'm not too sure how authoritative
it is.

http://blogs.zdnet.com/Ou/?p=204


Andy Medina

unread,
Nov 8, 2009, 8:41:38 AM11/8/09
to
In the meantime, the OP left to post elsewhere where the conduct was less of
a grade school playground brawl.

"sunorain" <suno...@discussions.microsoft.com> wrote something or other and
statrted a good cat fight.....

"He started it"

"I did not, you did"

"No, you did."

ad infinitum......


John John - MVP

unread,
Nov 8, 2009, 8:56:05 AM11/8/09
to

How will you be sure of the document's authenticity? For good measure
you should ask that the documents be witnessed and notarized by the
Chief Justice and to authenticate the Chief of Justice's signature you
you should also ask that the Queen of England affix her signature to the
document. For extra peace of mind you should also ask that the Pope
bless the document.

Encryption works with keys, without the keys you can't access your
files. You refuse to even acknowledge the existence of the fundamentals
of encryption, let alone accept them. There is no hope in hell that you
will ever understand how any of it works.

The day after Windows 2000 was released someone lost their files to
encryption because they failed to backup their EFS certificate. People
have been regularly asking the same question for the last ten years and
countless hours of research and trials have been devoted to the issue.
Things haven't changed just because you did a two minute search on the
Internet and then decided to give your 'expert' opinion about something
that you obviously know nothing about.

John

MEB

unread,
Nov 8, 2009, 11:55:13 AM11/8/09
to

Yep, certainly did that, didn't it. Think it was a Usenet "drive-by"
post... or was it possibly related to the "can't be done, don't bother
even trying", wherein everyone has the ability to post their purported
prior experience levels upon challenge... I always get a kick out of
Usenet, but it is reflective of society in general. These same
activities have been carried over into other areas, such as blogs and
"social networking" activities.

--
MEB

MEB

unread,
Nov 8, 2009, 12:38:15 PM11/8/09
to

I'm not worried about authenticity ONLY, its the statements contained.
DUH!!

Your response has to be one of the most trash filled Usenet posts to be
placed in this discussion. Think it actually impressed anyone...

>
> Encryption works with keys, without the keys you can't access your
> files. You refuse to even acknowledge the existence of the fundamentals
> of encryption, let alone accept them. There is no hope in hell that you
> will ever understand how any of it works.

Yeah, right. Seems you partook in another discussion related to NTFS
over in win98.gen_discussion a few years ago, and didn't know the
internal functions of NTFS in that discussion either.

>
> The day after Windows 2000 was released someone lost their files to
> encryption because they failed to backup their EFS certificate. People
> have been regularly asking the same question for the last ten years and
> countless hours of research and trials have been devoted to the issue.
> Things haven't changed just because you did a two minute search on the
> Internet and then decided to give your 'expert' opinion about something
> that you obviously know nothing about.
>
> John

Yeah, okay, you're the expert... tsktsk...

Peter

unread,
Nov 8, 2009, 4:02:14 PM11/8/09