bluedwarf243
asked on
Lost Certificate and Private key of EFS XP Pro laptop.
XP Pro laptop hard drive crashed and it had EFS and the certificate and private key were never exported. It was never part of a domain. A full backup was made of the data (not OS system) 1 week prior to crash. Can the data be recovered.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There was a full backup of the data only 1 week prior to the hard drive crash on the laptop. Have you ever tryed moving or copying the data from a drive that had encrypted data on it to a FAT32 partition? This could be done through running another backup or XCOPY. Because if you could succesfully do that it would loose it encryption correct? Then the data would be readable.
That's incorrect, the data will not be decrypted that simply. The encryption is only removed if a user that's logged in with access to the data copies it to a non-NTFS disk, otherwise it will be copied in encrypted form. As PowerIT said, that's the purpose of EFS, to secure the data so that it cannot be recovered by 3rd parties. Of course EFS isn't 100% secure, and it can be cracked. Apparently MS offers a service that attempts to recover missing private keys for a fee, check out this link with some more information on the subject:
http://www.beginningtoseethelight.org/efsrecovery/
http://www.beginningtoseethelight.org/efsrecovery/
ASKER
Do you know where the exact default location of the private key on a windows C: system drive is? The drive is in bad shape but all we need is that one private key because we have a backup of all the data.
The MS service (RECCERTS.EXE, cost ca 280$) does the same as AEFSDR and will also not work with missing keys. To my knowledge, there is no backdoor. The link only explains a manual process. CoccoBill, if you have other information please post a direct link here.
BTW, this is about XP. Win2K was a different story...
The other thing: a succesfull copy by the original user to a FAT32 partition would indeed decrypt the files.
Because it was a long while ago I just tested it again and can confirm this.
So if your backup was an xcopy to a FAT32 made by the legitimate user then you should be able to read it.
J.
BTW, this is about XP. Win2K was a different story...
The other thing: a succesfull copy by the original user to a FAT32 partition would indeed decrypt the files.
Because it was a long while ago I just tested it again and can confirm this.
So if your backup was an xcopy to a FAT32 made by the legitimate user then you should be able to read it.
J.
Have AEFSDR scan that disk. It is read only so should be OK.
Have to run now.
J.
Have to run now.
J.
A few points of clarification:
- MS support will give you a copy of Reccerts.exe without paying directly for the software - the price quoted ($280) is an average price for a PSS incident. If you work for an organization that has any PSS/TAM contracts, and you can have them file an incident for you, then get them to request reccerts.exe for you.
- For most recovery applications, you'll need at minimum the user's Master Key file *and* the file that stores the user's RSA private key for EFS.
- - the Master Key file is found under here: c:\documents and settings\USERNAME\applicat
- - the Private Key file is found under here: c:\documents and settings\USERNAME\applicat
- You'll find the actual files stored in a subdirectory that corresponds to the user's SID
- If you get these files, then restore them as much as possible to a similar set of folders on a working system
- It's unlikely that you'll be able to reconstruct all the configuration details (at least, I've never tried 'cause it looks pretty complex) to be able to dump these files into a new user profile and have them "just work". But who knows? It's sure worth a try if you don't have any of the recovery tools available. [If you have trouble with this, maybe you'll need to copy the user's digital certificate files as well: c:\documents and settings\USERNAME\Applicat
- When the user who encrypted the files logs on and is able to *open* the encrypted files, only *then* will they be able to copy them to e.g. a FAT32 volume. At that point, yes they'll be decrypted.
- The critical aspect to this is the user has to be able to decrypt the files, so they need to have access to their EFS private key. Just logging on to the system won't work (unless the keys have been successfully recovered); having NTFS persmissions "access" won't work either (although that's also necessary, it's usually not the determining factor).
- MS support will give you a copy of Reccerts.exe without paying directly for the software - the price quoted ($280) is an average price for a PSS incident. If you work for an organization that has any PSS/TAM contracts, and you can have them file an incident for you, then get them to request reccerts.exe for you.
- For most recovery applications, you'll need at minimum the user's Master Key file *and* the file that stores the user's RSA private key for EFS.
- - the Master Key file is found under here: c:\documents and settings\USERNAME\applicat
- - the Private Key file is found under here: c:\documents and settings\USERNAME\applicat
- You'll find the actual files stored in a subdirectory that corresponds to the user's SID
- If you get these files, then restore them as much as possible to a similar set of folders on a working system
- It's unlikely that you'll be able to reconstruct all the configuration details (at least, I've never tried 'cause it looks pretty complex) to be able to dump these files into a new user profile and have them "just work". But who knows? It's sure worth a try if you don't have any of the recovery tools available. [If you have trouble with this, maybe you'll need to copy the user's digital certificate files as well: c:\documents and settings\USERNAME\Applicat
- When the user who encrypted the files logs on and is able to *open* the encrypted files, only *then* will they be able to copy them to e.g. a FAT32 volume. At that point, yes they'll be decrypted.
- The critical aspect to this is the user has to be able to decrypt the files, so they need to have access to their EFS private key. Just logging on to the system won't work (unless the keys have been successfully recovered); having NTFS persmissions "access" won't work either (although that's also necessary, it's usually not the determining factor).
An only-data-backup usually does not have the keys.
But you can always try: restore that backup on a seperate disk (if it's an image) or just under a folder. Then - using the trial version of AEFSDR - have it scan for the keys in that restore.
If it finds the keys it will tell you. You can not recover with the trial version but at least you'll know if it would be possible before you buy.
Anyway: I don't think you will be so lucky given the circumstances. 99.99...% chance that the data is lost.
Even data recovery companies will not be able to help you. That's what EFS was designed for.
J.