Is it possible to decrypt EFS files without backup certificate
sunorain
A PC had Vista installed and one folder was encrypted by OS. This folder had
some thousand or so files.
Then Vista was reinstalled, with most old system files (including "Windows",
"Users" and "Documents" folders) deleted before reinstallation. Encrypted
folder left intact on HDD.
Is it possible to get files from encrypted folder somehow decrypted under
newly installed copy of Windows?
Username and password for Windows account used to encrypt folder are known.
Utilities like Elsomsoft's EFS recovery could not do much - when account
password have been supplied utility said that it can decrypt about 90 files
in total with no hint on why specifically these files can be decrypted and not
others.
(microsoft.public.security, microsoft.public.win2000.security,
microsoft.public.security.homeusers, microsoft.public.windows.file_system,
microsoft.public.windows.vista.security)
John John - MVP
John
Unknown
There maybe no software available to the public, but those files are
crack-able by Microsoft, Hard Drive Data recovery companies, and the
government.
> .
>
John John - MVP
the EFS certificate.
John
Richard Urban
Just recently there was a case of a child pornographer who was released
because he would not decrypt a hard drive for the prosecution. Do you not
think that under these circumstances that if it could be done - it would
have been done?
--
Richard Urban
Microsoft MVP
Windows Desktop Experience & Security
";-)" <;-)@discussions.microsoft.com> wrote in message
news:AC4474AE-EA20-4BFA...@microsoft.com...
@nomail.afraid.org FromTheRafters
Therein lies the rub.
"Richard Urban" <richardurba...@hotmail.com> wrote in message
news:uOp%23LSKXK...@TK2MSFTNGP04.phx.gbl...
Richard Urban
Give it to a super computer for a few years!
--
Richard Urban
Microsoft MVP
Windows Desktop Experience & Security
"FromTheRafters" <erratic @nomail.afraid.org> wrote in message
news:O5eW77OX...@TK2MSFTNGP04.phx.gbl...
Andy Medina
:D
Maybe something like the SETI@home thing might do it a bit faster.
"Richard Urban" <richardurba...@hotmail.com> wrote in message
news:%23t83dEW...@TK2MSFTNGP05.phx.gbl...
MEB
> Give it to a super computer for a few years!
>
Uhm, this type of additional base security apparently relies upon other
aspects within the system and/or network, such as: strong user and
administration passwords; caching of credentials; IPSec; domain aspects;
DRA; and other system and network activities, found/used in conjunction
with it [I won't directly include hack tools], for the discussion.
Some related and/or historical information might be valuable:
Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html
Re: looking for EFS weaknesses
http://lists.virus.org/forensics-0306/msg00005.html
Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
System (EFS)
http://technet.microsoft.com/en-us/library/cc749962.aspx
Default SYSKEY configuration compromises encrypting file system 13 May 2000
http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html
Windows 2000 Known Vulnerabilities and Their Fixes - PDF
http://www.sans.org/reading_room/whitepapers/win2k/windows_2000_known_vulnerabilities_and_their_fixes_185
EFS and File Recovery
http://www.informit.com/articles/article.aspx?p=19486
Methods for Recovering Encrypted Data Files
http://support.microsoft.com/kb/255742
Data Protection and Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb457020.aspx
Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx
How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201
EFS File Recovery - Asia Supplement
http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx
How to recover EFS encrypted file
http://www.petri.co.il/forums/showthread.php?t=1609
Vista Tutorial - Encrypted File System (EFS) Certificate Restore
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html
encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/
Encrypting File System
http://en.wikipedia.org/wiki/Encrypting_File_System
*What the OP apparently tried:
Advanced EFS Data Recovery
http://www.elcomsoft.com/aefsdr.html
Advantages and Disadvantages of EFS and effective recovery of encrypted
data [Whitepaper] - PDF
http://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.pdf
[Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
data when it gets lost.
http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
MEB
> None *one* data recovery company who can recover encrypted files without
> the EFS certificate.
>
> John
>
> ;-) wrote:
>> That is not true.
>> There maybe no software available to the public, but those files are
>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>> government.
>>
I think what was being alluded too, in part, was the know activities
presently occurring between Microsoft and Law enforcement, such as:
Microsoft and National White Collar Crime Center Make Digital Forensics
Tool Available to U.S. Law Enforcement Agencies
http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx
Microsoft denies handing law enforcement ‘backdoor’ keys
http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-keys/
>>
>>
>> "John John - MVP" wrote:
>>
>>> Without a backup of the EFS certificate your files are lost.
>>>
>>> John
>>>
>>> sunorain wrote:
>>>> A PC had Vista installed and one folder was encrypted by OS. This
>>>> folder had some thousand or so files.
>>>>
>>>> Then Vista was reinstalled, with most old system files (including
>>>> "Windows", "Users" and "Documents" folders) deleted before
>>>> reinstallation. Encrypted folder left intact on HDD.
>>>>
>>>> Is it possible to get files from encrypted folder somehow decrypted
>>>> under newly installed copy of Windows?
>>>>
>>>> Username and password for Windows account used to encrypt folder are
>>>> known.
>>>>
>>>> Utilities like Elsomsoft's EFS recovery could not do much - when
>>>> account password have been supplied utility said that it can decrypt
>>>> about 90 files in total with no hint on why specifically these files
>>>> can be decrypted and not
>>>> others.
>>>>
>>>> (microsoft.public.security, microsoft.public.win2000.security,
>>>> microsoft.public.security.homeusers,
>>>> microsoft.public.windows.file_system,
>>>> microsoft.public.windows.vista.security)
>>> .
>>>
--
David H. Lipman
| John John - MVP wrote:
>> None *one* data recovery company who can recover encrypted files without
>> the EFS certificate.
>> John
>> ;-) wrote:
>>> That is not true.
>>> There maybe no software available to the public, but those files are
>>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>>> government.
| I think what was being alluded too, in part, was the know activities
| presently occurring between Microsoft and Law enforcement, such as:
| Microsoft and National White Collar Crime Center Make Digital Forensics
| Tool Available to U.S. Law Enforcement Agencies
| http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx
| Microsoft denies handing law enforcement �backdoor� keys
| http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-
| keys/
Wouldn't surprise me as there have always been the rumours of the NSA OS backdoor.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
MEB
> From: "MEB" <MEB-no...@hotmail.com>
>
> | John John - MVP wrote:
>>> None *one* data recovery company who can recover encrypted files without
>>> the EFS certificate.
>
>>> John
>
>>> ;-) wrote:
>>>> That is not true.
>>>> There maybe no software available to the public, but those files are
>>>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>>>> government.
>
>
> | I think what was being alluded too, in part, was the know activities
> | presently occurring between Microsoft and Law enforcement, such as:
>
> | Microsoft and National White Collar Crime Center Make Digital Forensics
> | Tool Available to U.S. Law Enforcement Agencies
> | http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx
>
> | Microsoft denies handing law enforcement ‘backdoor’ keys
> | http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-
> | keys/
>
>
>
>
> Wouldn't surprise me as there have always been the rumours of the NSA OS backdoor.
>
And that's essentially the purported problem, there are so many
unknowns involved that speculation runs wild in some circles.
What we do know is questionable enough, such as:
the EFS recovery tool {once} offered via paid support;
You cannot remotely access encrypted files after you upgrade a Windows
Server 2003 file server to Windows Server 2008
http://support.microsoft.com/kb/948690
Post Upgrade EFS Recovery Tool 1.0 (KB948690)
http://www.microsoft.com/downloads/details.aspx?FamilyID=FD786261-D278-40DB-BAF8-70F42D786223&displaylang=en
;
the previously linked Tool for Law Enforcement [actually a set of tools
included within the offered "tool"], and some others mentioned elsewhere
on the Internet [many without supporting documentation, but would there
be, I mean really].
So it can be difficult wading through the actualities of it all when
weighed against know variables and potentials.
Even the discussions which address the linked Tool and suggest
unplugging, fail to understand the information is still there, just a
bit harder to recover. The application of proper forensic tools and
methodology can likely recover whatever materials anyway, by someone
specialized within the field [example: the link to
beginningtoseethelight in my other post today in this discussion].
How far one wishes to go with this on one side or the other, really
doesn't matter, as the really IMPORTANT understanding should be that
security, generally, is designed more for *external*
activities/protection; and is only as secure, locally, as the
network/computers involved [leaving hardware "lock-like" activities not
addressed].
That many/most users fail to understand the relationship between the
hardware involved [such as in this discussion and forensic hard drive
analysis, or WiFi encryption, or whatever] tends to lead to
misconceptions and faulty conclusions. It is all data after all and the
more it travels through the OS, like the NTs and somewhat Linux, or
broadcast over the air, the more tracks it leaves; meaning the more
chances for discovery/recover/hack/whatever; and that just takes a bit
of common sense. Moreover, should one need to do so, look at the
filing/storage systems themselves and what they contain and how they
function {such as indexing, journaling, etc.}; or the TCP/IP protocol,
or the wireless standards, or whatever applies. [Sorry, I drifted a bit.]
So are there "backdoors", the answer would be maybe, perhaps even
likely; we do have the implementation of numerous other like activities
from "On Star", the V-Chip technologies, DIRT, Carnivore, the Tool, and
several others to look at. Do these really matter though... think of the
commonly used cell phone and its data and abilities, and that it can be
hacked... but again, how far do you go and why, what's the purpose in
today's electronic and connected world. The only way to stop this now
[if one has issues with these activities] means reverting to the world
of our grandfather's.
David H. Lipman
>>>> John
Carnovore isn't a "Backdoor".
It is a combination of protocol sniffer and remote access system to be placed, under
warrant, at an ISP.
MEB
Hmm, okay, you are right in the purest sense, it isn't technically a
backdoor as in directly installed or hard coded, but certainly a
backdoor [or perhaps more a trapdoor] to user activities.
http://en.wikipedia.org/wiki/Carnivore_%28software%29
http://peoplescounsel.org/ref/carnivore.htm
http://peoplescounsel.org/dirt.htm
I'm not so sure where the technologies and activities actually ended up
after implementation of the U.S. Patriot Act and like so-called
anti-terrorist Laws around the world. We have seen some rather
disquieting disclosures regarding activities done under guise of these
Laws. You have to remember these are now supposedly classified as
Secret, e.g., related to national/international defense/security
[warrants generally issued by the special courts and/or hearings]. And
here in the US, we won't know much about this activity for another 9
years or so, since the last administration made sure to pass
re-authorization prior to losing office and control.
Moreover, my reference was directed more towards the activities
[monitoring, government programs, Microsoft tools, misconceptions,
recovery techniques, etc.] in general relationship to the hard coded
"backdoors" that worry so many and perhaps rightly so if they exist.
But I think we've now drifted away from the EFS recovery issue.
John John - MVP
> What we do know is questionable enough, such as:
>
> the EFS recovery tool {once} offered via paid support;
>
> You cannot remotely access encrypted files after you upgrade a Windows
> Server 2003 file server to Windows Server 2008
> http://support.microsoft.com/kb/948690
> Post Upgrade EFS Recovery Tool 1.0 (KB948690)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=FD786261-D278-40DB-BAF8-70F42D786223&displaylang=en
That has absolutely *nothing* to do with recovery of encrypted files
without the EFS certificate, this tool simply recovers the special user
profiles that are not properly migrated under specific circumstances.
John
John John - MVP
> John John - MVP wrote:
>> None *one* data recovery company who can recover encrypted files without
>> the EFS certificate.
>>
>> John
>>
>> ;-) wrote:
>>> That is not true.
>>> There maybe no software available to the public, but those files are
>>> crack-able by Microsoft, Hard Drive Data recovery companies, and the
>>> government.
>>>
>
> I think what was being alluded too, in part, was the know activities
> presently occurring between Microsoft and Law enforcement, such as:
>
> Microsoft and National White Collar Crime Center Make Digital Forensics
> Tool Available to U.S. Law Enforcement Agencies
> http://www.microsoft.com/Presspass/press/2009/oct09/10-13COFEEPR.mspx
>
> Microsoft denies handing law enforcement ‘backdoor’ keys
> http://www.lamp.edu.au/watercooler/microsoft-denies-handing-law-enforcement-backdoor-keys/
Members of the British government were blabbering about not being able
to decrypt BitLocked files... until someone reminded them that the very
thing that they were asking for would make *their* own encrypted files
accessible to any foreign entity who had such tools. Strangely enough
at that point the blabbering stopped...
John
John John - MVP
None of the above deals with recovering encrypted files *without* the
EFS certificate. These discussions and tools simply deal with known
"best practices" when using EFS and how to use the Recovery Agent or
backup copies of the certificate to regain access to encrypted files.
Other discussions and tools deal with recovery of the certificate (not
files) on failing drives or on Windows installations that fail to start
or recovery of certificates deleted by user error. I think that the
bottom line is that maybe cryptologists with supercomputing power and
ample time might be able to recover these files but in reality without
the certificate for all intents and purposes the files are lost.
It is true that I could walk on the moon, but in reality it is most
unlikely that I ever will, the same goes for most all of us having any
hope of recovering encrypted files without the certificate, unless the
OP can recover his EFS certificate he has truly lost his encrypted files.
John
MEB
That doesn't even earn a response other than this...
MEB
What's the problem here.
These are examples regarding recover generally. So yes, these do have
relevance in a discussion wherein recovery techniques are at hand.
The linked beginnintoseethelight materials address yet another avenue
of approach, and there are other methods depending upon what may be
available on the disk or device using specialized tools for the task.
Or is this the typical Usenet activity wherein, because an individual
post does not contain all elements [having been address elsewhere in the
Discussion], this is somehow supposedly false or not related... ignoring
or misstating the rest of the elements discussed within the discussion.
Don't start this junk... or is it that you are having difficulties
holding the entire discussion in mind... if so, you might want to
refresh your memory [perhaps "star" or otherwise note key elements]
before you post.
Per your British government stuff, yes, there WOULD be a problem with
"PUBLICLY" available tools. That doesn't guarantee there are not tools
[legal or otherwise] available.
John John - MVP
I eagerly await your instructions to see how you will help the OP
recover his encrypted files without the EFS certificate.
John
MEB
Some of the methodology involved was defined within the
beginningtoseethelight materials [which leads the curious to look for
more].. and I'm certainly not going to walk anyone through it, nor
supply more than what I have, I don't help hackers in these groups [and
not saying the querier was a hacker]...
So this appears you do want to play stupid Usenet games... find someone
else to play with. The OP wanted information if it was possible, I
supplied information and linked materials wherein, that it may be possible.
You supplied the "super computer trash", not really very helpful was it...
John John - MVP
No, I told to OP the truth, without the EFS he has no realistic hope of
ever recovering his files. Other than that I simply said that I
accepted that given enough resources it may be hypothetically possible
to recover the files but that by and large these resources are not
available to many if any of us posting here. Your insisting that he may
be able to recover the files without the EFS is doing nothing to help
him, you are just sending him on a wild goose chase.
John
MEB
Yeah, right, so the OP is looking for the EFS,, no, the certificate and
the methods of potential recovery, having already found:
"Utilities like Elsomsoft's EFS recovery could not do much - when
account password have been supplied utility said that it can decrypt
about 90 files in total with no hint on why specifically these files can
be decrypted and not others."
That's 90 supposedly recoverable files. So how about you explain WHY
these supposed files COULD BE RECOVERED when you claim they can't be
without the certificate.
Your response?
"Without a backup of the EFS certificate your files are lost.
John"
Nah, don't bother,, you suffer under the impression you live in a
perfect world where everything works as claimed...
I told you to actually READ the postings and linked materials.
Kerry Brown
ever used the Elcomsoft program? I have. It uses whatever certs it can find
to decrypt the files. In most case the certs used to encrypt files may have
changed over time. As long as you are using the same install of Windows (or
an AD domain) Windows looks after which cert to use for which file. The
Elcomsoft program will scan the hard drive looking for certs and trying
them. It's pretty simple. There are many reasons why the cert may be
available for some files and not others. The most common is they were
encrypted at different times with different accounts. Some may have been
encrypted with a local account. Some may have been encrypted with an AD
account. In the end it all comes down to one simple fact: no cert - no
decryption. Trying to tell someone otherwise is not helpful. Trying to help
them recover the needed certificate(s) would be helpful. Going off on a
tinfoil hat tangent is especially unhelpful.
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
MEB
> Have you ever actual tried to recover files encrypted with EFS? Have you
> ever used the Elcomsoft program? I have. It uses whatever certs it can
> find to decrypt the files. In most case the certs used to encrypt files
> may have changed over time. As long as you are using the same install of
> Windows (or an AD domain) Windows looks after which cert to use for
> which file. The Elcomsoft program will scan the hard drive looking for
> certs and trying them. It's pretty simple. There are many reasons why
> the cert may be available for some files and not others. The most common
> is they were encrypted at different times with different accounts. Some
> may have been encrypted with a local account. Some may have been
> encrypted with an AD account. In the end it all comes down to one simple
> fact: no cert - no decryption. Trying to tell someone otherwise is not
> helpful. Trying to help them recover the needed certificate(s) would be
> helpful. Going off on a tinfoil hat tangent is especially unhelpful.
>
Why don't you read the linked materials at:
encrypted file system recovery {*MEB- an interesting look at the system}
http://www.beginningtoseethelight.org/efsrecovery/
Take off *your tinfoil hat*, "had some thousand or so files" supposedly
at stake.. think it might be useful to look at ALL potentials... or is
this the standard Windows "frig it just wipe and re-install" or "gosh,
don't know what happened, YOU must have done something wrong" or "you
screwed up too bad for you" attitude.
Kerry Brown
last line:
"in closing - backup your efs keys properly!!"
All of the methods the author talks about, except the very last one, involve
using the original key (certificate). The last method involves some guessing
and relying on files to be stored in a specific layout on the drive in a
specific format. The author never says that it has been done successfully.
Much of the article sounds theoretical. The author uses words like "should"
and "if" a lot.
I'll ask again. Have you ever tried any of this? Have you ever successfully
decrypted an efs encrypted file without having the key? Can you point me to
any reference that says someone has actually done this?
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
>
>
MEB
> I've read that before. I just read it again. The key takeaway is the
> very last line:
>
> "in closing - backup your efs keys properly!!"
>
> All of the methods the author talks about, except the very last one,
> involve using the original key (certificate). The last method involves
> some guessing and relying on files to be stored in a specific layout on
> the drive in a specific format. The author never says that it has been
> done successfully. Much of the article sounds theoretical. The author
> uses words like "should" and "if" a lot.
It wasn't exact was it, working from the example system, and would have
been somewhat different in another, that was explained.
The disk hex file review information shows a potential recovery method.
PGP was thought unbreakable, so were numerous other encryption
techniques, many now shown as faulty. These are algorithms leaving
traces in the system. Had the disk been IMMEDIATELY taken out of service
then there were other recovery methods potentially available.
>
> I'll ask again. Have you ever tried any of this? Have you ever
> successfully decrypted an efs encrypted file without having the key? Can
> you point me to any reference that says someone has actually done this?
>
I have a better idea, you are an MVP with perhaps a better connection
to Microsoft.
Ask Microsoft to supply you with a formal hard copy, authorized and
SIGNED statement, supplying exact information that:
EFS files can not be recovered by any methods without the certificate
from a previously running system, and also as occurred in the querier's
original statement, barring the Super Computer brute force method.
Also that Microsoft has no method and/or tools which might be in
private or other hands, and knows of no others, which might accomplish
the recovery.
That would supply a final documented answer to any such questions in
the future.
Make sure to tell them you will be sending an exact copy to me [with a
copy of the envelope]. When you get the signed formal responsive
document, I will supply an address for you to send a copy of this
documentation to [which I will have verified], and we can then continue.
John John - MVP
> "Utilities like Elsomsoft's EFS recovery could not do much - when
> account password have been supplied utility said that it can decrypt
> about 90 files in total with no hint on why specifically these files can
> be decrypted and not others."
>
> That's 90 supposedly recoverable files. So how about you explain WHY
> these supposed files COULD BE RECOVERED when you claim they can't be
> without the certificate.
Either the utility can find the certificate and decrypt *all* the files
or it can't find it and can't decrypt *any* of them and they want the
user to pay them to find out that the files are utterly lost. You don't
know how many certificates were used on that machine, for all that you
know the utility may have found an old certificate that was used for
test purposes, if it had found the correct certificate it would be able
to decrypt *all* of the thousand or so files that the user lost, not
just 90 of them.
> Your response?
> "Without a backup of the EFS certificate your files are lost.
YES! Absolutely! I repeat, without the certificate the files are lost!
> Nah, don't bother,, you suffer under the impression you live in a
> perfect world where everything works as claimed...
NO, unlike you, I have 10 strong years of experience with operating
systems that are EFS capable and I understand how it works. Believe
what you want but the facts are that you cannot recover these files
without the certificate!
> I told you to actually READ the postings and linked materials.
Why don't you try it for yourself, encrypt files then positively destroy
the certificate and give your utilities a try. Come back and tell us
how you made out and give us replicable proof that you recovered your
files without the certificate. All that these utilities do is try to
find the certificate.
EFS means business and many users find out the hard way that files
without certificate are history! There wouldn't be much sense in having
EFS at all if it could be circumvented by simple recovery tools. The OP
is not the first one to lose his files due to bad or negligent EFS
practices and he isn't the last one, if he can recover the certificate
he may be able to recover the files, if he can't recover the certificate
he is SOL!
John
MEB
Whatever, I placed a recommendation for a document from Microsoft to
another MVP, why don't the two of you work on it.
John John - MVP
Maybe you should find out how encryption works. Some reading is in
order, in particular:
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
"One solution to help reduce the potential for stolen data is to encrypt
sensitive files by using Encrypting File System (EFS) to increase the
security of your data. Encryption is the application of a mathematical
algorithm to make data unreadable except to those users who have the
required key. EFS is a Microsoft technology that lets you encrypt data
on your computer, and control who can decrypt, or recover, the data.
When files are encrypted, user data cannot be read even if an attacker
has physical access to the computer's data storage."
"An attacker can also steal a computer, remove the hard drives, place
the drives in another system, and gain access to the stored files. Files
encrypted by EFS, however, appear as unintelligible characters when the
attacker does not have the decryption key."
How EFS Works
The following steps explain how EFS works.
1. EFS uses a public-private key pair and a per-file encryption key to
encrypt and decrypt data. When a user encrypts a file, EFS generates a
file encryption key (FEK) to encrypt the data. The FEK is encrypted with
the user’s public key, and the encrypted FEK is then stored with the file.
2. Files can be marked for encryption in a variety of ways. The user
can set the encryption attribute for a file by using Advanced Properties
for the file in My Computer, storing the file in a file folder set for
encryption, or by using the Cipher.exe command-line utility. EFS can
also be configured so that users can encrypt or decrypt a file from the
shortcut menu accessed by right-clicking the file.
3. To decrypt files, the user opens the file, removes the encryption
attribute, or decrypts the file by using the cipher command. EFS
decrypts the FEK by using the user’s private key, and then decrypts the
data by using the FEK.
If you don't have the certificate brute force would be the only way to
get to the files, guess for yourself how much time and computing power
it would take to break 128-bit encryption.
John
MEB
John John - MVP wrote:
> MEB wrote:
>> John John - MVP wrote:
>>> MEB wrote:
>
> John
John John - MVP
> Ask Microsoft to supply you with a formal hard copy, authorized and
> SIGNED statement, supplying exact information that:
> EFS files can not be recovered by any methods without the certificate
> from a previously running system, and also as occurred in the querier's
> original statement, barring the Super Computer brute force method.
> Also that Microsoft has no method and/or tools which might be in
> private or other hands, and knows of no others, which might accomplish
> the recovery.
>
> That would supply a final documented answer to any such questions in
> the future.
> Make sure to tell them you will be sending an exact copy to me [with a
> copy of the envelope]. When you get the signed formal responsive
> document, I will supply an address for you to send a copy of this
> documentation to [which I will have verified], and we can then continue.
I have to admit that I can be a pretty stubborn person at times but when
faced with facts I accept them and admit my error. I've eaten crow on
more than one occasion and it doesn't taste that bad.
As for you I can only say that your stubbornness and refusal to admit
that you can ever be wrong has culminated in what can only be described
as one of the most utterly idiotic attempts ever presented in these
groups by anyone trying to weasel themselves out of a tight corner!
John
MEB
Yeah, right, I put over a dozen friggin links to materials in this
group, you post some basic Microsoft propaganda and that explains it...
There are two MVPs now involved claiming impossibility... you and Kerry
Brown. Make an effort.. get the defined Microsoft document, authorized
and SIGNED.
David Craig
corporate lawyer would allow such a statement to be issued. It is not
unrealistic to believe that some governments may require a backdoor into any
form of encryption for it to be sold in their country. Such a restriction
would be covered by legal restrictions that would prevent any discussion by
the company who had to comply with those rules. They would also carry
significant jail time and financial penalties.
If you really want a secret to be kept don't ever commit it to anything
except memory and never share it. There are no other certainties.
"MEB" <MEB-no...@hotmail.com> wrote in message
news:e2IMZGEY...@TK2MSFTNGP06.phx.gbl...
MEB
> You are definitely not too bright or just a troll. There is no way any
> corporate lawyer would allow such a statement to be issued. It is not
> unrealistic to believe that some governments may require a backdoor into any
> form of encryption for it to be sold in their country. Such a restriction
> would be covered by legal restrictions that would prevent any discussion by
> the company who had to comply with those rules. They would also carry
> significant jail time and financial penalties.
>
> If you really want a secret to be kept don't ever commit it to anything
> except memory and never share it. There are no other certainties.
Apparently you aren't to bright, as you claim I am not.
In ONE of the links provided by me in this discussion is a tool created
by Microsoft for Law enforcement specifically designed for preliminary
recover.
Gees, what might be some of the applications on that tool. Since this
is Microsoft's implementation of Security, would Microsoft, perhaps,
understand HOW it works, WHERE the information might still be located,
and HOW to recover it.
Now if it were a simple matter of just removing the certificates, then
a simple script could and would be used to destroy those keys, and no
one would need to worry about the materials that might be found because
EFS protected them. Heck, just attach the script to a set of hotkeys and
you're done.
But that seems to leave all the journaling, indexing, data streams,
temporary areas, and other activities within NTFS un-addressed.
Moreover, since NTFS writes dang near anywhere it wishes to on the
disk, do you think that those and other areas may have some information
about what went on still there... that's a DUH moment in case you missed
it... obviously you haven't done much work with disk hex tools and other
methods.. nor are you apparently familiar with a disk using NTFS at DISK
LEVEL.
So are you a troll?
Or have you failed to take ALL potentials into consideration... I
happen to be required to do that daily...
But you are right on one point, if you want to keep a secret, keep it
to yourself with NO data trail.
David Craig
of WinHex, but my job does not require me to find data on a hard drive. I
might do it for personal issues, but I have overcome most of this by doing
backups. I don't use EFS since I don't need to hide anything and I don't
need the issues associated with this, though I have considered BitLocker
under Windows 7 but I can't think of a reason to use it thus far.
Leaving work files such as how Word creates temp files in other directories
is just an issue those who care about that level of security. I was one of
the two kernel level programmers on "Watchdog - PC Data Security" in the
days of DOS. I have written FDE code, but not now. I get to write NDIS
miniports now and sometimes I get to do some peeking into the world of mass
storage and file systems. I have worked for a major security/antivirus
company in the past, but I will not be specific as to which one.
I suspect the Microsoft utility looks through various free sectors for
remnants of work files when the cops want to find evidence. If you want to
do real security for those sectors, you need a minifilter that will handle
'object-reuse' on deleted files by overwriting any deleted file. There are
utilities that can do it, but most are not done in real time with every
deletion.
BitLocker-to-go for removable USB drives such as flash memory disks, works
by doing "disk in a file" as do several other products. Any temporary files
in that 'disk' will be encrypted eliminating similar techniques unless the
page files where the file might be cached are not protected.
None of this answers the main question about recovering a EFS encrypted file
without having any way to find the certificate.
I don't really care about this, but I felt a need to post and maybe slow
down the unprofessional personal attacks. The posts were leading me to
believe that some were just 'trolling' to create conflict. Your tag line
with the 'consul' word in it was the main reason I posted since the
'requested letter' was far beyond unrealistic.
"MEB" <MEB-no...@hotmail.com> wrote in message
news:OjDVBfE...@TK2MSFTNGP06.phx.gbl...
MEB
I'll start with I'm impressed if the above is true.
One more thing to think about...
Microsoft could potentially be found technically and legally liable for
creating the perfect terrorist tools, unbreakable encryption systems.
Think it has?
The letter is not unrealistic, because Microsoft will NOT produce it
due to liability, you know it as well as I do. It would REQUIRE exposing
some of its own secrets or lying about them. However, it is the ONLY
document that would mean much of anything. I would/do intend to have it
verified if it was/is produced.
Microsoft *can* and does put whatever it wants [within reason] on its
site for "general consumption" and not be openly liable, because to the
GENERAL public consumption its EFS, at present, is beyond the means of
*most* general users and usable for most general protection, as claimed.
Flaws likely exist [its Microsoft's in Microsoft's flawed systems after
all], and hackers or user improper activities could or would be blamed
for any mass exposure issues. Microsoft is in the *business* of selling
software [and hardware now], so PR, public perception, and other factors
always come into play.
For this discussion the recovery of a certificate, e.g., its data, is
what was needed. HOW that data on the disk is found is another matter.
Bitlocker - Not really familiar with it, and its likely just another
method to give users the idea they are secured. Access to the devices
causes another level of scrutiny.
The world of security is an ever changing landscape, usually several
steps behind the professional hackers... which is one reason LAYERED
security is still the recommended procedure, and physically LOCKED DOWN
[closed and physically controlled] systems are still recommended for any
true security.
BTW: That's counsel, a constitutional registered form, not a licensed
attorney nor licensed Lawyer.. and yeah the standard Usenet name
calling seems to be creeping in from the MVPs recently. Seems you were
headed that way yourself.
@nomail.afraid.org FromTheRafters
"Richard Urban" <richardurba...@hotmail.com> wrote in message
news:%23t83dEW...@TK2MSFTNGP05.phx.gbl...
> Give it to a super computer for a few years!
I was thinking more than just a few years ...and many distributed
computers.
Someone might find this interesting. I'm not too sure how authoritative
it is.
http://blogs.zdnet.com/Ou/?p=204
Andy Medina
a grade school playground brawl.
"sunorain" <suno...@discussions.microsoft.com> wrote something or other and
statrted a good cat fight.....
"He started it"
"I did not, you did"
"No, you did."
ad infinitum......
John John - MVP
How will you be sure of the document's authenticity? For good measure
you should ask that the documents be witnessed and notarized by the
Chief Justice and to authenticate the Chief of Justice's signature you
you should also ask that the Queen of England affix her signature to the
document. For extra peace of mind you should also ask that the Pope
bless the document.
Encryption works with keys, without the keys you can't access your
files. You refuse to even acknowledge the existence of the fundamentals
of encryption, let alone accept them. There is no hope in hell that you
will ever understand how any of it works.
The day after Windows 2000 was released someone lost their files to
encryption because they failed to backup their EFS certificate. People
have been regularly asking the same question for the last ten years and
countless hours of research and trials have been devoted to the issue.
Things haven't changed just because you did a two minute search on the
Internet and then decided to give your 'expert' opinion about something
that you obviously know nothing about.
John
MEB
Yep, certainly did that, didn't it. Think it was a Usenet "drive-by"
post... or was it possibly related to the "can't be done, don't bother
even trying", wherein everyone has the ability to post their purported
prior experience levels upon challenge... I always get a kick out of
Usenet, but it is reflective of society in general. These same
activities have been carried over into other areas, such as blogs and
"social networking" activities.
--
MEB
MEB
I'm not worried about authenticity ONLY, its the statements contained.
DUH!!
Your response has to be one of the most trash filled Usenet posts to be
placed in this discussion. Think it actually impressed anyone...
>
> Encryption works with keys, without the keys you can't access your
> files. You refuse to even acknowledge the existence of the fundamentals
> of encryption, let alone accept them. There is no hope in hell that you
> will ever understand how any of it works.
Yeah, right. Seems you partook in another discussion related to NTFS
over in win98.gen_discussion a few years ago, and didn't know the
internal functions of NTFS in that discussion either.
>
> The day after Windows 2000 was released someone lost their files to
> encryption because they failed to backup their EFS certificate. People
> have been regularly asking the same question for the last ten years and
> countless hours of research and trials have been devoted to the issue.
> Things haven't changed just because you did a two minute search on the
> Internet and then decided to give your 'expert' opinion about something
> that you obviously know nothing about.
>
> John
Yeah, okay, you're the expert... tsktsk...
Peter
What an egotistical troll you are! The problem isn't with the others it is
with YOU! You are the one who did the "drive-by" post. You gave no useful
advice at all, the only thing that you did is show your vitriolic
personality and ignorance, and you have plenty of that to go 'round!
Let me add my voice to this, I've "been there, done that" and I've learned
the hard way. I'm one of those who lost files because I didn't know any
better and I didn't backup my certificate, without the certificate the file
are lost. You're wasting everybody's time with your less than helpful
posts.
Peter Foldes
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"MEB" <MEB-no...@hotmail.com> wrote in message
news:eWzXEnJ...@TK2MSFTNGP06.phx.gbl...
Shenan Stanley
Want to see more of this?
http://www.youtube.com/watch?v=DgAVroI6_34
Wait - oops, my mistake - similar though. Funnier - IMHO.
This is it:
http://groups.google.com/group/microsoft.public.security.crypto/browse_frm/thread/a2947a859b65b75e/
MEB wrote:
<snipped>
> I have a better idea, you are an MVP with perhaps a better
> connection to Microsoft.
>
> Ask Microsoft to supply you with a formal hard copy, authorized and
> SIGNED statement, supplying exact information that:
> EFS files can not be recovered by any methods without the
> certificate from a previously running system, and also as occurred
> in the querier's original statement, barring the Super Computer
> brute force method.
>
> Also that Microsoft has no method and/or tools which might be in
> private or other hands, and knows of no others, which might
> accomplish the recovery.
>
> That would supply a final documented answer to any such
> questions in the future.
>
> Make sure to tell them you will be sending an exact copy to me
> [with a copy of the envelope]. When you get the signed formal
> responsive document, I will supply an address for you to send a
> copy of this documentation to [which I will have verified], and we
> can then continue.
Continue? Wouldn't that *end* things? *grin*
I see this conversation culminated (in several places) to the old classic,
"I cannot prove it, you prove your side first." (I'd throw in a "Nyah
Nyah", but then, well - that might be accurate. hah)
I'd say the side who says something *is* possible should present their proof
to the side that says something is *not* possible.
Why?
Usually the "not possible" side doesn't care if it is/is not possible
anyway - because they have no incentive - they have decided (or know) that
it is not possible. If it is *not* possible - why would you put effort into
proving that? Only the side that says something *is* possible has any true
incentive. The "not possible" side usually will only continue the
discussion for pride or some hope the other side will see the error of their
ways and they will be the one to have convinced them (wait - that's pride
still.)
Oh, wait! Both sides have nothing but pride at stake. My bad.
Many times - even if one side can provide proof, the other side will just
dispute it or the accuracy of it or break down where the proof came from
or... Well - you get the idea. There is no winning side.
In the end - I fall pretty well in the 'don't care about the subject at
hand' part of this particular equation, greatly enforced by conversations
such as this specific one which turn into nothing more than faith-based
arguments and soon turn into name-calling and mud-slinging instead of
anything productive.
Thus - no mention _by me_ of the actual subject in my response.
Hey - at least the Original Poster of this conversation made the best choice
for them...
(Hit & Run...)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
@nomail.afraid.org FromTheRafters
news:OOjkk9QY...@TK2MSFTNGP05.phx.gbl...
Shenan you wascal.
Isn't the answer to the OP's question as stated in the subject line -
yes?
Without a "backup" certificate, couldn't one use the original or a
recovery agent's certificate?
...of course in the body of the post it appears that both the original
and the local administrator's recovery agent certificate were deleted.
Is it wrong to explore the possibility that the OP may have made a
backup of the now deleted data which still contains the means to decrypt
the key? What is wrong with suggesting something other than "NO, your
files are toast now"? The OP may have a "backed up" certificate in a
disk image, rather than have made a "backup" certificate, that can still
be used to decrypt the key.
Might the OP, having read the documents MEB posted, have gleaned a more
thorough understanding of the EFS and how it works - and where the
needed keys might still be stored?
MEB
> "Shenan Stanley" <newsh...@gmail.com> wrote in message
> news:OOjkk9QY...@TK2MSFTNGP05.phx.gbl...
>> <snipped>
>>
>> Want to see more of this?
>> http://www.youtube.com/watch?v=DgAVroI6_34
>
> Shenan you wascal.
>
> Isn't the answer to the OP's question as stated in the subject line -
> yes?
>
> Without a "backup" certificate, couldn't one use the original or a
> recovery agent's certificate?
>
> Is it wrong to explore the possibility that the OP may have made a
> backup of the now deleted data which still contains the means to decrypt
> the key? What is wrong with suggesting something other than "NO, your
> files are toast now"? The OP may have a "backed up" certificate in a
> disk image, rather than have made a "backup" certificate, that can still
> be used to decrypt the key.
>
> Might the OP, having read the documents MEB posted, have gleaned a more
> thorough understanding of the EFS and how it works - and where the
> needed keys might still be stored?
>
>
Thank you, a spark of intelligence, some thoughtful consideration.
There seems to be a failure to understand both your commented material,
and other potentials such as undelete tools, disk recovery software, and
or other data recovery tools and techniques which could have potentially
been used to at least TRY for the recovery. A flat statement of
"unrecoverable, they're lost" fails to address the activities of the
user, and tools which are available and which might have been tried.
Futile perhaps, but YOU [here, not at the computer} don't know all the
potential variables involved with that user and that computer.
AT LEAST give users something to think about and some options to try.
It is extremely easy for a user to overlook things in "panic mode".
@nomail.afraid.org FromTheRafters
As the Californian Santa-Anna winds prove - a spark can become a
conflagration just by adding hot air. Perhaps your next post will set me
fully ablaze. :oD
@nomail.afraid.org FromTheRafters
news:ugUZlGUY...@TK2MSFTNGP05.phx.gbl...
In another post, in another group, a poster wanted to know where on the
Microsoft websites he could download the most up-to-date version of OE.
I posted a link. Others pointed out he was posting with the most current
version (I never assume a poster is posting from the same machine he or
she is trying to troubleshoot). Yet another asked what he was trying to
accomplish IIRC. As it turned out, he was trying to install OE on
Windows 7. Whereas I posted the correct answer for the question asked,
the answer the poster needed was that OE cannot be installed directly on
the Windows 7 platform.
Sometimes it is the wrong question being asked. The avenue that you
chose may have led the OP to the answer he needed, whereas the others
made the same mistake that I did by answering the question that they
inferred directly from the post.
MEB
It is fairly common to proceed in that fashion, particularly after
handling hundred of prior postings. Moreover, it is difficult at times
to determine what the querier actual does mean to ask or needs.
I would suppose you can't really blame those who have become a bit lax
in responses or use a standard answer. However, when one does come in to
perhaps proceed in a normal diagnostic mode or alternative fashion, it
certain looks bad when others attack that party for proceeding in that
fashion, completely over-looking what should be obvious. Particularly
after attempting to explain those factors.
But that happens also, and after about 30 years of being subjected to
that type of activity it does become a bit tiresome, particularly when
it reverts to normal Usenet name calling and attacks on the person.
Anyway, I do hope the OP was able to recover those files, perhaps not,
but I did try. And thank you for at least picking up on alternative
situations.
I suppose I should also include a correction before someone takes issue.
The statement:
"other potentials such as undelete tools,"
should be more accurately stated as:
"other potentials such as, depending upon the circumstances, undelete
tools," to cover other potential occurrences.
Peter
So instead of telling it like it is you think that sugar coating the
unpalatble truth and having the OP engage in pointless exercises is the way
to help? Go back and read the original post and review the facts:
1- The OP wanted to reinstall Vista.
2- Before reinstalling Vista he removed 'almost' all of the system files
and folders on the drive, (including "Windows", "Users" and "Documents"
folders), he kept the encrypted folder intact on the drive.
3- The OP then reinstalled Vista.
4- The OP then discovered that he could not access his encrypted files.
5- The OP tried various utilities such as Elcomsoft's EFS recovery tool and
discovered that the utilities couldn't recover the files.
6- The OP did not save a backup copy of the certificate.
With the above known facts, being that almost all of the files were removed
and that Vista was reinstalled there certainly is a strong possibility that
the old certificate was overwritten during the reinstall. The OP did try
certificate recovery utilities and these utilities failed to recover the
certificate, he then came here and asked a simple question:
"Is it possible to decrypt EFS files without backup certificate?"
Several persons including 2 MVPs gave the correct answer to the question:
"Without the certificate the files cannot be recovered". You on the other
hand decided to go off in a tangent and attack the personal integrity of any
and all who would contradict your claims that the files could still be
recovered without the certificate. Instead accepting the facts and letting
go of the issue you then made a request that you knew very well could not be
filled, you asked the 2 MVPs to back their replies with an official signed
statement from Microsoft. You figured that since no one would consider such
a silly request that you had been vindicated and that you were right.
The information that you wanted is available in more than one place on the
Microsoft site. If you read KB223316 you will find the following statements
from Microsoft:
How files are encrypted
Files are encrypted through the use of algorithms that essentially
rearrange, scramble, and encode the data. A key pair is randomly generated
when you encrypt your first file. This key pair is made up of a private and
a public key. The key pair is used to encode and decode the encrypted files.
If the key pair is lost or damaged and you have not designated a recovery
agent, and then there is no way to recover the data.
Why you must back up your certificates
Because there is no way to recover data that has been encrypted with a
corrupted or missing certificate, it is critical that you back up the
certificates and store them in a secure location. You can also specify a
recovery agent. This agent can restore the data. The recovery agent's
certificate serves a different purpose than the user's certificate.
That is official and definitive enough for all reasonable persons. The
others have nothing to prove here, they were right and you were wrong.
Everybody makes mistakes, perhaps you read the original post too quickly and
replied without giving it full thought. It's time that you show some of
that 'spark of intelligence', admit your error and let it go. Or are you
really nothing more than a troll who cannot stand being proven wrong?
@nomail.afraid.org FromTheRafters
"Peter" <inv...@nothere.com> wrote in message
news:yHXJm.13912$de6....@newsfe21.iad...
> The information that you wanted is available in more than one place on
> the Microsoft site. If you read KB223316 you will find the following
> statements from Microsoft:
Find the equivalent for Vista.
> How files are encrypted
> Files are encrypted through the use of algorithms that essentially
> rearrange, scramble, and encode the data. A key pair is randomly
> generated when you encrypt your first file. This key pair is made up
> of a private and a public key. The key pair is used to encode and
> decode the encrypted files.
If I'm not mistaken, Vista uses a single key to encrypt the data and
then one of a key pair to encrypt *that* key - the actual key is then
with the file (covered) - and in addition by default uses the local
administrator account to have a different key pair (recovery agent) also
used to decrypt the actual key that encryted the data and is also stored
within the file.
If I am mistaken, please do enlighten me.
MEB
Did you consider the *content* of the original post... no.
There may have been residuals of files [data] left over for recovery
via various methods, PERIOD.
NOT [we don't even need to go there because there was this data on the
disk at one point] *without* a backup certificate/keys, but with what
might have been available upon the disk itself... just as you *can*
recover files from a formatted disk, or files improperly deleted, or
otherwise supposedly lost. It is AWAYS worth an effort if the materials
are important [which they must have been to be encrypted] or otherwise
*to the USER*.
So the ACTUAL question being asked SHOULD HAVE BEEN is it possible to
recover EFS files ... then the explanation that was provided describing
what had occurred.
IN the circumstance, as described by the querier, there is an good
chance that the files MAY have been recoverable WITH A RECOVERED
certificate/key using several of the methods I took the time to explain
and/or link to.
Since you can't seem to understand, let me spell it out for you,
perhaps it might help if you read the below SLOWLY:
The querier ask a question, but described a circumstance wherein it was
potentially possible to actually recover the files. So since the
question subject line DID NOT fit the description of the problem, you,
as a responder, are SUPPOSED to be able to weigh the value of each and
provide what was needed. If not, you ask more questions to remove
potential avenues of address.
In THIS circumstance, the answer I gave was correct, BECAUSE there may
have been recovery methods to take care of the issue, e.g., not having
backed up cert/keys. The DATA needed may still have been available
somewhere on the disk.
The *not recoverable* statements *ENSURED* they could not be recovered
due to over-written disk areas, and COMPLETELY ignored the potential for
an old image or other that may have been available.
Let's hope those unrecoverable statements did not cause undue loss to
the OP.
BTW: this wouldn't be the first time I have corrected Microsoft's
documentation pursuant NTFS or other documentation or the MVPs.. did you
bother to look at the materials I had already linked to, apparently
not... did you actually READ WITH COMPREHENSION the statements I made
... apparently not. So take your Usenet crap somewhere else.
Make an effort to use that brain you supposedly have..
Richard Urban
method.
So why would **I** find your links valuable?
Send them to all the prosecutors in the world and they may find them as
worthless as most knowledgeable people do.
--
Richard Urban
Microsoft MVP
Windows Desktop Experience & Security
"MEB" <MEB-no...@hotmail.com> wrote in message
news:%23OW4o1X...@TK2MSFTNGP04.phx.gbl...
> Richard Urban wrote:
>> Give it to a super computer for a few years!
>>
>
> Uhm, this type of additional base security apparently relies upon other
> aspects within the system and/or network, such as: strong user and
> administration passwords; caching of credentials; IPSec; domain aspects;
> DRA; and other system and network activities, found/used in conjunction
> with it [I won't directly include hack tools], for the discussion.
>
> Some related and/or historical information might be valuable:
>
> Where Does EFS Fit into your Security Plan?
> http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html
>
> Re: looking for EFS weaknesses
> http://lists.virus.org/forensics-0306/msg00005.html
>
> Analysis of Reported Vulnerability in the Windows 2000 Encrypting File
> System (EFS)
> http://technet.microsoft.com/en-us/library/cc749962.aspx
>
> Default SYSKEY configuration compromises encrypting file system 13 May
> 2000
> http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html
>
> Windows 2000 Known Vulnerabilities and Their Fixes - PDF
> http://www.sans.org/reading_room/whitepapers/win2k/windows_2000_known_vulnerabilities_and_their_fixes_185
>
> EFS and File Recovery
> http://www.informit.com/articles/article.aspx?p=19486
>
> Methods for Recovering Encrypted Data Files
> http://support.microsoft.com/kb/255742
>
> Data Protection and Recovery in Windows XP
> http://technet.microsoft.com/en-us/library/bb457020.aspx
>
> Encrypting File System in Windows XP and Windows Server 2003
> http://technet.microsoft.com/en-us/library/bb457065.aspx
>
> How to back up the recovery agent Encrypting File System (EFS) private
> key in Windows Server 2003, in Windows 2000, and in Windows XP
> http://support.microsoft.com/kb/241201
>
> EFS File Recovery - Asia Supplement
> http://blogs.technet.com/asiasupp/archive/2007/04/26/efs-file-recovery.aspx
>
> How to recover EFS encrypted file
> http://www.petri.co.il/forums/showthread.php?t=1609
>
> Vista Tutorial - Encrypted File System (EFS) Certificate Restore
> http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html
>
> encrypted file system recovery {*MEB- an interesting look at the system}
> http://www.beginningtoseethelight.org/efsrecovery/
>
> Encrypting File System
> http://en.wikipedia.org/wiki/Encrypting_File_System
>
> *What the OP apparently tried:
> Advanced EFS Data Recovery
> http://www.elcomsoft.com/aefsdr.html
> Advantages and Disadvantages of EFS and effective recovery of encrypted
> data [Whitepaper] - PDF
> http://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.pdf
> [Case study] Don’t let EFS trick you: Tips on recovering EFS-encrypted
> data when it gets lost.
> http://www.elcomsoft.com/cases/tips_on_recovering_EFS-encrypted_data_when_it_gets_lost.pdf
MEB
> The **FACT** is - they weren't able to crack the encryption using any
> method.
>
> So why would **I** find your links valuable?
>
> Send them to all the prosecutors in the world and they may find them as
> worthless as most knowledgeable people do.
>
HAHA, that's funny. Did you work on that one for a couple days to come
up with it..
Richard Urban
--
Richard Urban
Microsoft MVP
Windows Desktop Experience & Security
"MEB" <MEB-no...@hotmail.com> wrote in message
news:%23tGOXgZ...@TK2MSFTNGP05.phx.gbl...
MEB
> It takes but a second to debunk you!
>
Peter
news:%23cbUZ%23VYKH...@TK2MSFTNGP04.phx.gbl...
>
> "Peter" <inv...@nothere.com> wrote in message
> news:yHXJm.13912$de6....@newsfe21.iad...
>
>> The information that you wanted is available in more than one place on
>> the Microsoft site. If you read KB223316 you will find the following
>> statements from Microsoft:
>
> Find the equivalent for Vista.
Sheesh!!! Do you think that things are that much different in Vista and
that you can recover encrypted files without the certificate?
http://windows.microsoft.com/en-XM/windows-vista/Recover-encrypted-files-or-folders
http://windows.microsoft.com/en-US/windows-vista/Certificates-frequently-asked-questions
http://windows.microsoft.com/en-US/windows-vista/Back-up-Encrypting-File-System-EFS-certificate
http://windows.microsoft.com/en-MY/windows-vista/Encrypt-or-decrypt-a-folder-or-file
http://windows.microsoft.com/en-GB/windows-vista/What-to-do-if-you-lose-your-file-encryption-key
http://technet.microsoft.com/zh-tw/library/cc749051(WS.10).aspx
>
>> How files are encrypted
>> Files are encrypted through the use of algorithms that essentially
>> rearrange, scramble, and encode the data. A key pair is randomly
>> generated when you encrypt your first file. This key pair is made up of a
>> private and a public key. The key pair is used to encode and decode the
>> encrypted files.
>
> If I'm not mistaken, Vista uses a single key to encrypt the data and then
> one of a key pair to encrypt *that* key - the actual key is then with the
> file (covered) - and in addition by default uses the local administrator
> account to have a different key pair (recovery agent) also used to decrypt
> the actual key that encryted the data and is also stored within the file.
> If I am mistaken, please do enlighten me.
Why not supply a link to *your* source of information?
In any case it still wouldn't detract from the fact that without the
certificate the files are lost.
Peter
You've confirmed and proven beyond any doubt that you are indeed nothing
more than an obnoxious troll on an ego trip.
Shenan Stanley
> A PC had Vista installed and one folder was encrypted by OS. This
> folder had some thousand or so files.
>
> Then Vista was reinstalled, with most old system files (including
> "Windows", "Users" and "Documents" folders) deleted before
> reinstallation. Encrypted folder left intact on HDD.
>
> Is it possible to get files from encrypted folder somehow decrypted
> under newly installed copy of Windows?
>
> Username and password for Windows account used to encrypt folder
> are known.
>
> Utilities like Elsomsoft's EFS recovery could not do much - when
> account password have been supplied utility said that it can
> decrypt about 90 files in total with no hint on why specifically
> these files can be decrypted and not others.
>
> (microsoft.public.security, microsoft.public.win2000.security,
> microsoft.public.security.homeusers,
> microsoft.public.windows.file_system,
> microsoft.public.windows.vista.security)
sunorain,
I have empathy for your post and what it has been turned into. I did find a
fine example of what it basically has become...
http://video.google.com/videoplay?docid=-4784409600367252507
Hopefully it serves more purpose than the back-and-forth your conversation
has become - at least make you smile/laugh - *grin*
Direct answer...
In general - if you have no backup of your encryption key/cert and/or backup
of your old hard disk drive contents (full image) so you might revert to it
and regain said information and back it up this time - your files/folders in
the EFS are likely (for all intents and purposes) lost to you.
It sucks - but it is why people are encouraged to make good backups.
Might you be able to get something back? Sure - anything is possible - but
you'd have to let everyone know what backups you have, if you have an image
of the hard disk drive before the problems, etc. However - assuming you
would have mentioned that - recovery is unlikely - even if you throw a lot
of money at the issue.
MEB
Oh boy, gotta love this stuff...
Peter
Of course you do, that is what trolls like you live for. Bye.
MEB
Okay, at LEAST add there are some really good [some free] disk recovery
programs that could be tried. What can it hurt... it would take less
than twenty or thirty minutes to check including download time... heck,
even something like Hiren's or Knoppix Live could potentially be used.
This was an old [apparently as there are a few thousand files involved]
large installation with a SMALLER new installation placed, why not check...
Shenan Stanley
> A PC had Vista installed and one folder was encrypted by OS. This
> folder had some thousand or so files.
>
> Then Vista was reinstalled, with most old system files (including
> "Windows", "Users" and "Documents" folders) deleted before
> reinstallation. Encrypted folder left intact on HDD.
>
> Is it possible to get files from encrypted folder somehow decrypted
> under newly installed copy of Windows?
>
> Username and password for Windows account used to encrypt folder
> are known.
>
> Utilities like Elsomsoft's EFS recovery could not do much - when
> account password have been supplied utility said that it can
> decrypt about 90 files in total with no hint on why specifically
> these files can be decrypted and not others.
Shenan Stanley wrote:
> sunorain,
>
> I have empathy for your post and what it has been turned into. I
> did find a fine example of what it basically has become...
>
> http://video.google.com/videoplay?docid=-4784409600367252507
>
> Hopefully it serves more purpose than the back-and-forth your
> conversation has become - at least make you smile/laugh - *grin*
>
> Direct answer...
>
> In general - if you have no backup of your encryption key/cert
> and/or backup of your old hard disk drive contents (full image) so
> you might revert to it and regain said information and back it up
> this time - your files/folders in the EFS are likely (for all
> intents and purposes) lost to you.
>
> It sucks - but it is why people are encouraged to make good backups.
>
> Might you be able to get something back? Sure - anything is
> possible - but you'd have to let everyone know what backups you
> have, if you have an image of the hard disk drive before the
> problems, etc. However - assuming you would have mentioned that -
> recovery is unlikely - even if you throw a lot of money at the
> issue.
MEB wrote:
> Okay, at LEAST add there are some really good [some free] disk
> recovery programs that could be tried. What can it hurt... it would
> take less
> than twenty or thirty minutes to check including download time...
> heck, even something like Hiren's or Knoppix Live could potentially
> be used. This was an old [apparently as there are a few thousand
> files involved] large installation with a SMALLER new installation
> placed, why not check...
Given what the original poster has, ("... Vista was reinstalled, with most
old system files (including "Windows",
"Users" and "Documents" folders) deleted before reinstallation ..."), the
chances are very slim indeed - also - considering this has gone on for two
weeks now (14 days since their original posting) it is likely they have
utilized the machine pretty well at this point - slimming the possibilities
even more of recovering anything - much less anything that might help them.
However - why didn't you? Instead of suggesting someone suggest something -
suggest - with details. ;-)
Would it have been hard to do this:
Recuva
http://www.piriform.com/recuva
Restoration
http://www.snapfiles.com/get/restoration.html
Undelete
http://www.diskeeper.com/undelete/undelete.aspx
Use any of those with the Ultimate Boot CD for Windows:
http://www.ubcd4win.com/
However - without the DRA or backed up private key and given this was a
stand-alone machine - likely still a wash. Backups - the only true solution
to data loss. Data loss - usually the most well-listened-to teacher
avocating backups - if only those listening now had listened to the masses
days/weeks/years before. ;-)
It being Vista - this is of little help:
http://www.beginningtoseethelight.org/efsrecovery/
... not to mention, likely over the head of anyone who did not bother to
make backups of their important files. ;-)
When you add to that the facts given that things like this:
http://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.pdf
... only had limited - unbelievably limited - success; things aren't looking
just bleak, but downright dark and dead quiet.
They can try all that - if they want - but even though they did not backup
the data and use best practices for EFS (showing thwey may not have
understaood what they were doing) they did mention some things they have
tried leading one to think they did their research and probably thought
about some (if not all) of this long ago - and if they had success or not -
we are likely to never know. No success - what incentive do they have to
report back they fail? Success - they will likely feel like they did it on
their own (and would likely be right given the paths this conversation took)
and they have nothing to say to anyone here. ;-)
MEB
>
> When you add to that the facts given that things like this:
> http://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.pdf
>
> They can try all that - if they want - but even though they did not backup
> the data and use best practices for EFS (showing thwey may not have
> understaood what they were doing) they did mention some things they have
> tried leading one to think they did their research and probably thought
> about some (if not all) of this long ago - and if they had success or not -
> we are likely to never know. No success - what incentive do they have to
> report back they fail? Success - they will likely feel like they did it on
> their own (and would likely be right given the paths this conversation took)
> and they have nothing to say to anyone here. ;-)
>
And I would agree, when posted 10/26/09, simple recovery methods SHOULD
have been the *first* suggestions, taking the disk out of usage, and
other. INSTEAD those answering went off on the thought of
CRACKING/HACKING the actual files, to the point of a ridiculous
discussion of Super Computers.
I entered the discussion on 11/4/09 [around 8-9 days later], seeing NO
ONE had even suggested anything remotely like would have been applied
under these or other circumstances and situations, attempted file
recovery; and where NO ONE had submitted anything regarding methods or
tools, Microsoft or otherwise. The apparent though was impossible to
recover, where in ANY other file deletion or related disk issue the
IMMEDIATE response would or should have been as indicated, attempted
recovery.
When I suggest that there were other methods and provided links to
materials including Microsoft Articles and tools, they were received
with disdain BY supposed MVPs. Excuse me, these are tools and
information related to the activity. They DO provide the "best
practices" and tools for particular situations regarding EFS, don't they.
When I addressed other potentials such as beginningtoseethelight, which
shows indicators to the information sought should hex recovery or
modification be needed, I received some of the most ignorant junk
possible, AGAIN from MVPs. This is SUPPOSEDLY a group with experts. With
indicators available, there was another potential recovery method, if
necessary.
We aren't discussing cracking/hacking encrypted files, it was the
potential DATA recovery that might have been useful to the OP. It was
also the tools available, and potential methods for others who might
find this discussion.
Now, why don't YOU might explain why YOU didn't step in IMMEDIATELY
with suggested recovery methods, and WHY none of the other MVPs did.
That would be real interesting I'm sure.
While you're at it, explain why they STILL don't get it.
You can sit smugly at your computer in here all day long and say it
*might* have been impossible to recovery, it as good an excuse as any
now; but IT DANG SURE IS NOW because NONE of you even tried. NONE of you
suggested anything of value.
Shenan Stanley
Easy there, MEB.
Why do you think I (or anyone here) owe you (someone I don't know)
information about me (someone you don't know) and where I was or why I
do/don't/didn't/did do something?
Same question to you - why didn't you step in immediately on day one with
your suggestions?
Likely the same answer for both. Volunteer, not paid to do this, have a
life, doing something else, can't be everywhere at once and nunya...
You can think people are being smug all you want - they are not - they are
being where they can/want to be when they can when they want to be. They
answer how they want, with what they want.
There is no *you* here - this is a PEER-to-PEER newsgroup - you are the same
as anyone else here. You are a PEER.
Said it before, looks like I have to say it again. I volunteer my
experience and knowledge - volunteer above and beyond my normal life and
career. I get to say what I want when I want to say it. If Microsoft
disappeared tomorrow - it would mean very little in terms of what I do.
Initials mean little - it's what you make of it. I did it long before I
received any initials for doing it and would likely still do it without the
initials (although I am considering not doing it anymore because people seem
to *expect* things they shouldn't.)
Your comments were late just as some others were and did very little to help
the situation when you decided that instead of ignoring those who decided to
buck what you were saying - you'd feed on them and them on you and make this
entire conversation into garbage that was of no use to the OP and wasn't
even a logical discussion, but a "No, YOU!" shouting match.
One problem is you never know what the reaction will be from people. I have
been involved in postings where it seemed like the person had tried nothing,
but was just honestly asking for assistance. I listed all the simple things
to try and some more advanced things to try in excruciating detail - in
hopes that something might help them. What was the reaction? They bit my
head off for treating them like a child, for not assuming they had done all
the simple stuff, going as far as calling me names.
It's a volunteer based newsgroup (forum) - if you don't like what someone
says or don't want to get involved - you don't have to. If you want to stop
at any point being involved, do so. And sure - you can call people names,
troll, chide people into responding, dance around the topic, be the holy
zealot in the right/wrong side, be the jester or be the true fool - all that
is a free for all as well. What you do here *is* your choice. When you do
things here *is* your choice.
Don't expect - however - anything. It's not your 'right', especially not
here. You voluntarily answer and are no different than anyone else here -
no matter what value you want to put into what initials you see.
I knew someone once that started putting initials at the end of their name
many years back. People, strangely - started treating them with more
respect, etc. The letters added were "RNG" <- they meant 'Really Nice Guy',
but no one ever asked - they just assumed some importance came with them. I
would suggest never being that unwise.
But - I will return to the subject at hand - as it should always end up
doing...
The truth is - given what the OP did - I fully believe they would have been
unsuccessful in their attempts - no matter what was suggested within minutes
of their original posting.
They didn't make backups (if they did, they did not mention any), they
didn't understand EFS (or they wouldn't have just 'moved' the EFS folders
somewhere else thinking they could unencrypt them later without following
the well documented best practices of backing up the private key or making a
DRA) and they had attempted to fix it themselves with research (they
mentioned methods I don't believe they knew beforehand - since if they knew
of the methods, they would be unlikely to have risked their data on the
off-chance those methods would work for them.)
All of this could easily been deduced from the original posting and I
perfectly well understand why the reaction was what it was for the most
part. Logical progression from the given information. All that could be
done otherwise is ask for more information - and many times that just gets
"Just answer the question" responses and "Why do you need to know all that"
responses and the likes.
MEB
> <snip>
>
> MEB wrote:
Wow, I really needed that explanation. Sorry, at this point my
tolerance is low..
>
>
> But - I will return to the subject at hand - as it should always end up
> doing...
>
>
> The truth is - given what the OP did - I fully believe they would have been
> unsuccessful in their attempts - no matter what was suggested within minutes
> of their original posting.
>
> They didn't make backups (if they did, they did not mention any), they
> didn't understand EFS (or they wouldn't have just 'moved' the EFS folders
> somewhere else thinking they could unencrypt them later without following
> the well documented best practices of backing up the private key or making a
> DRA) and they had attempted to fix it themselves with research (they
> mentioned methods I don't believe they knew beforehand - since if they knew
> of the methods, they would be unlikely to have risked their data on the
> off-chance those methods would work for them.)
>
> All of this could easily been deduced from the original posting and I
> perfectly well understand why the reaction was what it was for the most
> part. Logical progression from the given information. All that could be
> done otherwise is ask for more information - and many times that just gets
> "Just answer the question" responses and "Why do you need to know all that"
> responses and the likes.
>
Deduced by whom,, my immediate reaction WAS to proceed with the
recovery tools and methods in the discussion to dispel the incredible
lack of anything relevant to the issue and other similar situations.
You just change yours to another excuse, you "fully believe"... that's
fine. That still doesn't address the potential recovery and THAT was the
most important element. Unless one tries, then everything else is just
fluff, excuses, and failure, because you DON'T KNOW for sure, do you.
GUESSING, isn't productive when someones potentially irreplaceable
files are at stake. So NO your answer does not suit the issue nor the
matter as posted. Its just another excuse. The LOGICAL progression is to
stop usage IMMEDIATELY, and then make an effort to see what options
might be available.
@nomail.afraid.org FromTheRafters
> "FromTheRafters" <erratic @nomail.afraid.org> wrote in message
> news:%23cbUZ%23VYKH...@TK2MSFTNGP04.phx.gbl...
>>
>> "Peter" <inv...@nothere.com> wrote in message
>> news:yHXJm.13912$de6....@newsfe21.iad...
>>
>>> The information that you wanted is available in more than one place
>>> on the Microsoft site. If you read KB223316 you will find the
>>> following statements from Microsoft:
>>
>> Find the equivalent for Vista.
> Sheesh!!! Do you think that things are that much different in Vista
Not really, I was just hoping that information from a newer source would
be more correct.
> and that you can recover encrypted files without the certificate?
Without *which* certificate?
[...]
>>> How files are encrypted
>>> Files are encrypted through the use of algorithms that essentially
>>> rearrange, scramble, and encode the data. A key pair is randomly
>>> generated when you encrypt your first file. This key pair is made up
>>> of a private and a public key. The key pair is used to encode and
>>> decode the encrypted files.
The above statement is evidently incorrect. The files are encrypted with
a symetric key - the asymetric key is used to encrypt the symetric key
for storage within the file structure. Several asymetric keys may be
used for several key recovery agents - all for recovering the key for
the same symetric key encrypted file.
>> If I'm not mistaken, Vista uses a single key to encrypt the data and
>> then one of a key pair to encrypt *that* key - the actual key is then
>> with the file (covered) - and in addition by default uses the local
>> administrator account to have a different key pair (recovery agent)
>> also used to decrypt the actual key that encryted the data and is
>> also stored within the file.
>> If I am mistaken, please do enlighten me.
>
> Why not supply a link to *your* source of information?
http://technet.microsoft.com/en-us/library/cc962103.aspx
See near the bottom where it mentions the local admin account as the
default recovery agent (a user might not be aware of this automatically
created *other* certificate for recovery).
> In any case it still wouldn't detract from the fact that without the
> certificate the files are lost.
Without the decryption key, the files are effectively lost. There may be
several ways to recover the decryption key since it is included with the
file (covered) and there may be several different recovery agents having
the ability to uncover (decrypt) that key with their own private key.
The OP probably doesn't care about the theory, he just wants his files
back. Having not *knowingly* created a "backup certificate", he asks if
there is another way (is it possible) - and there might just be, by
using *another* recovery agent's certificate to decrypt the key to the
file.
Peter Foldes
showing off it is to help the OP. You are butting heads and flexing your muscles
trying to show that you are better then anybody else. This is a peer to peer
newsgroup and most who have posted in this thread posted to help the OP BUT not you.
You attack (right or wrong) all who posted . Give it a rest already and if you did
not notice the OP has not posted back
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"MEB" <MEB-no...@hotmail.com> wrote in message
news:e%237U30AY...@TK2MSFTNGP05.phx.gbl...
> John John - MVP wrote:
>> MEB wrote:
>>> John John - MVP wrote:
>>>> MEB wrote:
<snip>
MEB
> Again. Put an end to this Trolling and get a life already. This
> newsgroup is not for showing off it is to help the OP. You are butting
> heads and flexing your muscles trying to show that you are better then
> anybody else. This is a peer to peer newsgroup and most who have posted
> in this thread posted to help the OP BUT not you. You attack (right or
> wrong) all who posted . Give it a rest already and if you did not notice
> the OP has not posted back
>
Then WHY didn't you *actually help* the OP?
Stop your troll activities. I'm not showing off, I'm providing
information to others and the OP which they NEED to understand their
*options*. You and the others gave them NONE.
Is this an attack, NO, it is a statement of fact.
Peter
> "Peter" <inv...@nothere.com> wrote in message
> news:bn3Km.27991$gg6....@newsfe25.iad...
>> "FromTheRafters" <erratic @nomail.afraid.org> wrote in message
>> news:%23cbUZ%23VYKH...@TK2MSFTNGP04.phx.gbl...
>>>
>>> "Peter" <inv...@nothere.com> wrote in message
>>> news:yHXJm.13912$de6....@newsfe21.iad...
>>>
>>>> The information that you wanted is available in more than one place on
>>>> the Microsoft site. If you read KB223316 you will find the following
>>>> statements from Microsoft:
>>>
>>> Find the equivalent for Vista.
>
>> Sheesh!!! Do you think that things are that much different in Vista
>
> Not really, I was just hoping that information from a newer source would
> be more correct.
>
>> and that you can recover encrypted files without the certificate?
>
> Without *which* certificate?
You're trying to set a trap, I won't fall into it. Either you backup your
private certificate or either you have a recovery agent, that is very
clearly stated in KB223316:
Why you must back up your certificates
Because there is no way to recover data that has been encrypted with a
corrupted or missing certificate, it is critical that you back up the
certificates and store them in a secure location. You can also specify a
recovery agent. This agent can restore the data. The recovery agent's
certificate serves a different purpose than the user's certificate.
That the Administrator is automatically assigned as the Recovery Agent means
nothing if you move the files to a different machine or if you wipe and
reinstall Windows, the Administrator on the new installation won't be able
to decrypt your old files unless you moved the old certificates to the new
installation.
> [...]
>
>>>> How files are encrypted
>>>> Files are encrypted through the use of algorithms that essentially
>>>> rearrange, scramble, and encode the data. A key pair is randomly
>>>> generated when you encrypt your first file. This key pair is made up of
>>>> a private and a public key. The key pair is used to encode and decode
>>>> the encrypted files.
>
> The above statement is evidently incorrect. The files are encrypted with a
> symetric key - the asymetric key is used to encrypt the symetric key for
> storage within the file structure. Several asymetric keys may be used for
> several key recovery agents - all for recovering the key for the same
> symetric key encrypted file.
That doesn't mean that the statement is incorect. You need a pair of keys
to decrypt the file, the public key and the private key, the keys are
randomly generated when the file is encrypted. Is that false? Can you
decrypt the files with only the public key?
>>> If I'm not mistaken, Vista uses a single key to encrypt the data and
>>> then one of a key pair to encrypt *that* key - the actual key is then
>>> with the file (covered) - and in addition by default uses the local
>>> administrator account to have a different key pair (recovery agent) also
>>> used to decrypt the actual key that encryted the data and is also stored
>>> within the file.
>>> If I am mistaken, please do enlighten me.
>>
>> Why not supply a link to *your* source of information?
>
> http://technet.microsoft.com/en-us/library/cc962103.aspx
Huh??? You say that EFS on Vista is significantly different than it is on
XP and when asked to supply a link with this information you supply a link
to Windows 2000 information? Can you please supply a link explaining the
technical details about EFS on Vista?
With Vista there seems to have been an enormous push toward the 'dumbing
down' of the users by Microsoft. With W2K there was an enormous amount of
technical information available about the operating system and its inner
workings. With Vista all that can usually be found are these dumb articles
with nothing more than basic instructions on how to do things, no techinical
information whatsoever or if any it is so general and scant that it is
nearly useless. Either that or I'm looking at the wrong places for the
information. I think that XP has less in-depth information available than
Windows 2000 did (on the Microsoft site) but it still has Resource Kit
documentation and XP it is so nearly identical to W2K that one can often use
that to find answers. I certainly hope that there will be better
documentation for Windows 7 but with the rumours that Microsoft is doing
away with newsgroups and moving everything to dumb web forums it appears
that the dumbing down of the users is still in full swing. I think that
Microsoft wants dumb users, then they can feed them whatever they want and
the users will not know any better.
> See near the bottom where it mentions the local admin account as the
> default recovery agent (a user might not be aware of this automatically
> created *other* certificate for recovery).
Yes, but as I said earlier unless you import/restore the Recovery Agent's
Private Key to the new installation that means nothing.
>> In any case it still wouldn't detract from the fact that without the
>> certificate the files are lost.
>
> Without the decryption key, the files are effectively lost. There may be
> several ways to recover the decryption key since it is included with the
> file (covered) and there may be several different recovery agents having
> the ability to uncover (decrypt) that key with their own private key.
>
> The OP probably doesn't care about the theory, he just wants his files
> back. Having not *knowingly* created a "backup certificate", he asks if
> there is another way (is it possible) - and there might just be, by using
> *another* recovery agent's certificate to decrypt the key to the file.
It all comes down to the same thing, he needs a backup of one of the private
certificates, be it his or that of the DRA. Certificate recovery utilities
like the one by Elcomsoft would have looked for any of these. The OP stated
that he tried different utilities but that they failed to find anything,
that isn't suprising, being that he removed all the files and then
reinstalled Windows it is to be expected. I feel sorry for the OP, losing
ones files can be very discouraging. He has learned the pitfalls of EFS the
hard way!
Peter Foldes
Because John John answered the OP correctly right away and was no need to answer
with the same again.Period.
> Is this an attack, NO, it is a statement of fact.
It is an attack meant by you to instigate further confrontation which is an action
by a Troll. Statement of fact is "That you are a first class uneducated Troll
believing in yourself that you are it to the world"
PERIOD
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
> Then WHY didn't you *actually help* the OP?
>
> Stop your troll activities. I'm not showing off, I'm providing
> information to others and the OP which they NEED to understand their
> *options*. You and the others gave them NONE.
>
> Isthis an attack, NO, it is a statement of fact.
MEB
>> Then WHY didn't you *actually help* the OP?
>
> Because John John answered the OP correctly right away and was no need
> to answer with the same again.Period.
>
>> Is this an attack, NO, it is a statement of fact.
>
> It is an attack meant by you to instigate further confrontation which is
> an action by a Troll. Statement of fact is "That you are a first class
> uneducated Troll believing in yourself that you are it to the world"
>
> PERIOD
>
Really, let's hope FromTheRafters finishes the path towards which you
have been directed. You are already in the trap...
Nice how you always fall back to the Usenet troll classification...
just as someone like you would.
@nomail.afraid.org FromTheRafters
> "FromTheRafters" <erratic @nomail.afraid.org> wrote in message
> news:O3VveTfY...@TK2MSFTNGP02.phx.gbl...
[...]
> That doesn't mean that the statement is incorect. You need a pair of
> keys to decrypt the file, the public key and the private key, the keys
> are randomly generated when the file is encrypted. Is that false?
> Can you decrypt the files with only the public key?
You encrypt with one, and decrypt with the other. If you needed both to
decrypt, what would be the use of calling one "private". You need only
the private key to decrypt that which was encrypted with the
corresponding public key.
...and neither of these keys is used to encrypt/decrypt the file's data.
In fact the files data may be encrypted using an entirely different
algorithm. It is the resulting key that gets the asymmetric (two M's
this time) key treatment.
>>>> If I'm not mistaken, Vista uses a single key to encrypt the data
>>>> and then one of a key pair to encrypt *that* key - the actual key
>>>> is then with the file (covered) - and in addition by default uses
>>>> the local administrator account to have a different key pair
>>>> (recovery agent) also used to decrypt the actual key that encryted
>>>> the data and is also stored within the file.
>>>> If I am mistaken, please do enlighten me.
I am indeed mistaken - evidently having two certificates is no longer a
requirement, instead the user is warned that a backup or recovery agent
is recommended. (see, things do change sometimes).
>>> Why not supply a link to *your* source of information?
>>
>> http://technet.microsoft.com/en-us/library/cc962103.aspx
>
> Huh??? You say that EFS on Vista is significantly different than it
> is on XP and when asked to supply a link with this information you
> supply a link to Windows 2000 information?
No, I posted my source of information on how EFS works, which seemed
different than your assertion that asymmetric keys were used to encrypt
the file. If I had only the file's data to work with, it is the
symmetric key would want to discover (especially if weaker encryption
were used on the file data than was used on the file encryption key).
I couldn't find much on Vista's EFS implementation but lame how-to's and
blog posts.
> Can you please supply a link explaining the technical details about
> EFS on Vista?
No, I can't find a good nuts-and-bolts link. I did find this planning
document though.
http://technet.microsoft.com/en-us/library/cc162806.aspx
> With Vista there seems to have been an enormous push toward the
> 'dumbing down' of the users by Microsoft. With W2K there was an
> enormous amount of technical information available about the operating
> system and its inner workings. With Vista all that can usually be
> found are these dumb articles
Yes, it is infuriating when trying to find good authoritative
information.
> with nothing more than basic instructions on how to do things, no
> techinical information whatsoever or if any it is so general and scant
> that it is nearly useless. Either that or I'm looking at the wrong
> places for the information. I think that XP has less in-depth
> information available than Windows 2000 did (on the Microsoft site)
> but it still has Resource Kit documentation and XP it is so nearly
> identical to W2K that one can often use that to find answers. I
> certainly hope that there will be better documentation for Windows 7
> but with the rumours that Microsoft is doing away with newsgroups and
> moving everything to dumb web forums it appears that the dumbing down
> of the users is still in full swing. I think that Microsoft wants
> dumb users, then they can feed them whatever they want and the users
> will not know any better.
:o)
>> See near the bottom where it mentions the local admin account as the
>> default recovery agent (a user might not be aware of this
>> automatically created *other* certificate for recovery).
>
> Yes, but as I said earlier unless you import/restore the Recovery
> Agent's Private Key to the new installation that means nothing.
In this case, I was assuming (from the documentation) that the recovery
agent was perhaps created without the user knowing. It now seems that
from XP on there is no default recovery agent (XP) - and only a warning
that you need to create some form of backup (Vista).
[...]
> It all comes down to the same thing, he needs a backup of one of the
> private certificates, be it his or that of the DRA. Certificate
> recovery utilities like the one by Elcomsoft would have looked for any
> of these. The OP stated that he tried different utilities but that
> they failed to find anything, that isn't suprising, being that he
> removed all the files and then reinstalled Windows it is to be
> expected. I feel sorry for the OP, losing ones files can be very
> discouraging. He has learned the pitfalls of EFS the hard way!
Yes, the results are the same as in cryptovirology's ransomware.
@nomail.afraid.org FromTheRafters
[...]
> Really, let's hope FromTheRafters finishes the path towards which you
> have been directed. You are already in the trap...
I said nothing about supercomputers, only that enough computing power
and enough time are the limiting factors on the possibility of
decrypting encrypted data without knowing the key. The strength of an
algorithm relates to how long mathematically it can remain secure. All
other discussion was about the possibility that a key can be discovered
by means other than brute force guessing at all possible keys.
Regular backups would not back up such things, but disk imaging software
might.
MEB
Agreed. Then again, the actual issue wasn't cracking the files, it was
the recovery or usage of other potential keys. Something that had been
ignored during the discussion prior to the point of my entry.
Moreover, in your other discussion with Peter, both of you are
addressing issues as if there would be no residual data left upon the
disk [judging by your most recent post, perhaps that's wrong].
Elcomsoft's tool looks for information still tied [somehow] to an
existing system or existing folders. It does not [as far as I can
discern] search the disk for data in the same fashion as disk recovery
software would have. And therein lies the failure.
So the continued discussion still appears to ignore the residual data
that the disk might have held. Recover the keys and you can import/use
them. Both of you have stated that, and it is born out by the available
documentation [and tools for that matter]. So the issue remains the
recovery or some other unknown activity by the querier; unknown because
no one asked. If that had been successful, some form of recovery or
image or other, the files were usable.
I think changes were made in later versions of XP and W2K [Service Pack
level], it might be beneficial to see if there were; though VISTA is the
original system involved so the activities within that system are key to
the actual query, however, since the base EFS is involved, all of these
materials are relevant in their respective form.
@nomail.afraid.org FromTheRafters
[...]
> Agreed. Then again, the actual issue wasn't cracking the files,
To some, it was the only issue. I think we all agree - mathematically:
EFS-FEK=SOL :o)
> it was
> the recovery or usage of other potential keys. Something that had been
> ignored during the discussion prior to the point of my entry.
I wasn't forgetting the fact that deleting all user profiles and
reinstalling Vista might not actually overwrite the needed data. Data
recovery tools could conceivably still find the needed data - and that
the user *might* have unknowingly backed up the needed data.
> Moreover, in your other discussion with Peter, both of you are
> addressing issues as if there would be no residual data left upon the
> disk [judging by your most recent post, perhaps that's wrong].
My discussion with Peter is more about my perceived misinformation in
his post that the file itself is encrypted with a public/private key
set, and that recovering a key (perhaps from an agent) won't help any.
> Elcomsoft's tool looks for information still tied [somehow] to an
> existing system or existing folders. It does not [as far as I can
> discern] search the disk for data in the same fashion as disk recovery
> software would have. And therein lies the failure.
I'm not sure of the capabilities of that tool. I do know that some
"image" backups can be made to act like a mounted drive, and perhaps
searched for possible keys using that tool.
[...]
Peter
> "Peter" <inv...@nothere.com> wrote in message
> news:wjfKm.9043$Sw5....@newsfe16.iad...
>> "FromTheRafters" <erratic @nomail.afraid.org> wrote in message
>> news:O3VveTfY...@TK2MSFTNGP02.phx.gbl...
>
> [...]
>
>
>> That doesn't mean that the statement is incorect. You need a pair of
>> keys to decrypt the file, the public key and the private key, the keys
>> are randomly generated when the file is encrypted. Is that false? Can
>> you decrypt the files with only the public key?
>
> You encrypt with one, and decrypt with the other. If you needed both to
> decrypt, what would be the use of calling one "private". You need only the
> private key to decrypt that which was encrypted with the corresponding
> public key.
>
> ...and neither of these keys is used to encrypt/decrypt the file's data.
> In fact the files data may be encrypted using an entirely different
> algorithm. It is the resulting key that gets the asymmetric (two M's this
> time) key treatment.
My bad, you don't need the 'pair' to decrypt, you need the private key, (but
these keys work together). As I understand it from the documentation on the
link you provided the public key is in the file header. Whether the keys
are symetric or asymmetric I don't know and its beyond my interest and
technical knowledge, all I know is that without the private key the files
are history.
>>>>> If I'm not mistaken, Vista uses a single key to encrypt the data and
>>>>> then one of a key pair to encrypt *that* key - the actual key is then
>>>>> with the file (covered) - and in addition by default uses the local
>>>>> administrator account to have a different key pair (recovery agent)
>>>>> also used to decrypt the actual key that encryted the data and is also
>>>>> stored within the file.
>>>>> If I am mistaken, please do enlighten me.
>
> I am indeed mistaken - evidently having two certificates is no longer a
> requirement, instead the user is warned that a backup or recovery agent is
> recommended. (see, things do change sometimes).
>
>>>> Why not supply a link to *your* source of information?
>>>
>>> http://technet.microsoft.com/en-us/library/cc962103.aspx
>>
>> Huh??? You say that EFS on Vista is significantly different than it is
>> on XP and when asked to supply a link with this information you supply a
>> link to Windows 2000 information?
>
> No, I posted my source of information on how EFS works, which seemed
> different than your assertion that asymmetric keys were used to encrypt
> the file. If I had only the file's data to work with, it is the symmetric
> key would want to discover (especially if weaker encryption were used on
> the file data than was used on the file encryption key).
I never said or asserted that the keys were asymetric or not, I simply
copied and pasted the information directly from the KB article to my reply.
Until you mentioned it I didn't know anything about the symetric/asymmetric
aspect of the keys or pay any attention to it. I don't dispute what you
say, I really don't know anything about this technical part of the
encryption process.
It shows that the need to backup one's important files and store them in a
safe place can never be overstated, another hard lesson that those running
without any backups will eventually learn...
Peter
> FromTheRafters wrote:
>> "MEB" <MEB-no...@hotmail.com> wrote in message
>> news:OM14UvhY...@TK2MSFTNGP02.phx.gbl...
>> [...]
>>
>>> Really, let's hope FromTheRafters finishes the path towards which you
>>> have been directed. You are already in the trap...
>>
>> I said nothing about supercomputers, only that enough computing power
>> and enough time are the limiting factors on the possibility of
>> decrypting encrypted data without knowing the key. The strength of an
>> algorithm relates to how long mathematically it can remain secure. All
>> other discussion was about the possibility that a key can be discovered
>> by means other than brute force guessing at all possible keys.
>>
>> Regular backups would not back up such things, but disk imaging software
>> might.
>>
>>
>
> Agreed. Then again, the actual issue wasn't cracking the files, it was
> the recovery or usage of other potential keys.
Nice try at backpedalling but we can all go back and read what was said and
what was not said. You are the one who suggested that the files could be
recovered without the certificates and you personally attacked those who
said otherwise. In your first few posts you made no mention of recovering
potential keys, quite to the contrary you bluntly stated and emphasised that
the files "COULD BE RECOVERED" without the certificate by using 'other
recovery methods'. Your refusal to admit to your mistakes and your
continued insistance that all the others are wrong doesn't quite give any
credibiltiy to anything else that you want to add, the more you add to this
discussion the less credible you appear to the rest of us reading here.
Swallow your pride and let it go, stop it with your trolling.
MEB
Well if you haven't got the materials and my statements locally, I
would suggest you go to Google Groups and review them... before you make
more of a fool of yourself.
MEB
Oh, and you continue your troll activities and I WILL stick a really
nice post up your behind... my tolerance for you is over.
Andy Medina
Energy is still being wasted on this?
Just 'killfile' the thread.
"sunorain" <suno...@discussions.microsoft.com> wrote in message
news:FBD9DCA5-1BEC-43EC...@microsoft.com...
>A PC had Vista installed and one folder was encrypted by OS. This folder
>had some thousand or so files....
that can no longer be decrypted.
*plonk*
devin
Was the computer joined to a domain? In the profile of the first user
(administrator) logged on to the first DC in the domain there is a domain
wide recovery certificate for EFS.
"Peter" wrote:
> .
>
@nomail.afraid.org FromTheRafters
news:1E06551A-8163-4987...@microsoft.com...
> Is this solved??, havn�t followed all the threads for this
> question...
> Was the computer joined to a domain? In the profile of the first user
> (administrator) logged on to the first DC in the domain there is a
> domain
> wide recovery certificate for EFS.
The OP has not posted back here, so who knows?
Maybe such questions should be handled in a more Google-esque manner.
Did you mean ==> "Is it likely that I (or anyone else) will be able to
decrypt EFS files without having *any* decryption key?"
or
Did you mean ==> "Help, I lost my EFS decryption key, is there any way I
might be able to recover from my dilemma?"
Richard Urban
device without the keys.
For all of those of you who say it can be done - hogwash!
"sunorain" <suno...@discussions.microsoft.com> wrote in message
news:FBD9DCA5-1BEC-43EC...@microsoft.com...
>A PC had Vista installed and one folder was encrypted by OS. This folder
>had
> some thousand or so files.
>
> Then Vista was reinstalled, with most old system files (including
> "Windows",
> "Users" and "Documents" folders) deleted before reinstallation. Encrypted
> folder left intact on HDD.
>
> Is it possible to get files from encrypted folder somehow decrypted under
> newly installed copy of Windows?
>
> Username and password for Windows account used to encrypt folder are
> known.
>
> Utilities like Elsomsoft's EFS recovery could not do much - when account
> password have been supplied utility said that it can decrypt about 90
> files
> in total with no hint on why specifically these files can be decrypted and
> not
> others.
>
@nomail.afraid.org FromTheRafters
"Richard Urban" <richardurba...@hotmail.com> wrote in message
news:%23mXvCWX...@TK2MSFTNGP02.phx.gbl...
> Here is another case where the authorities can not break into an
> encrypted device without the keys.
>
> For all of those of you who say it can be done - hogwash!
The strength of encryption is quantified by "how long" it can be
expected to remain secure, not that it cannot be broken.
alan_willpa
Answer:i can introduce you to buy the AAA quality replica soccer jerseys in
China. this is the website: http://www.willpa.com
they are specialize in replica sport goods manufacturing in china, can offer
you all kinds of soccer jersey, NBA jersey,shoes and so on. they are the best
brand replica goods whih are look the same as the original goods. excellent
quality and steady supply for them. so far as i know, they have been marketed
in Europe and American for 3 year. soccer jersey are Thailand style.
they sell 2010 FIFA World cup soccer jerseys. English Premier League. Spain
Series A, Italy Series A, Germany Series A, France Series A and so on.
EMS shipping. 7days arrive, accept paypal.
if you want more information you can check the website: http://www.willpa.com
alan_willpa
alan_willpa
FIRST NAME: DONGLIANG
LAST NAME: LI
ADDRESS: #135 Tianhe Road, Guangzhou, China
ZIP CODE: 510000