?
Solved

how to recover EFS enabled folder?

Posted on 2003-03-22
35
Medium Priority
?
601 Views
Last Modified: 2013-12-04
Hi,pls let me know if i can reocover documents in a folder which is efs enabled and moved to a new Win XP installation. I tried accessing and changing the attributes of the folder but got access denied. I have also tried adding EFS recover agent,but also got access denied...
pls help!
0
Comment
Question by:BSIM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 4
  • 4
  • +4
35 Comments
 
LVL 44

Accepted Solution

by:
CrazyOne earned 672 total points
ID: 8188367
Have you taken ownership

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421&sd=tech


The Crazy One
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8188375
Did you designate a Recovery agent before you moved the files?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 8188382
http://www.experts-exchange.com/Operating_Systems/Win98/Q_20559880.html

Comment from Flash828  03/16/2003 09:38PM PST  
Unfortunately for the above to work, he/she must be able to log onto the computer and define themselves as a recovery agent.  Only the recovery agent of the machine where the user accounts are stored can decrypt all files as a recovery agent.  For instance, a machine D1, which is a domain controller, can decrypt all files for its domain.  However this machine's recovery agent cannot decrypt a file from machine D1, located on a different domain, or from machine M1, which is a standalone machine.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8188392
From Windows Help

To recover an encrypted file or folder if you are a designated recovery agent

Use Backup or another backup tool to restore a user's backup version of the encrypted file or folder to the computer where your file recovery certificate is located.
In Windows Explorer, right-click the file or folder.
Click Properties.
On the General tab, click Advanced.
Clear the Encrypt contents to secure data check box.
Make a backup version of the decrypted file or folder and return the backup version to the user.
 Notes

To start Windows Explorer, click Start, point to Programs, point to Accessories, and then click Windows Explorer.
You can return the backup version of the decrypted file or folder to the user as an e-mail attachment, on a floppy disk, or on a network share.
If you are the recovery agent, you should use the Export command from Certificates in Microsoft Management Console (MMC) to export the file recovery certificate and private key to a floppy disk. Keep the floppy disk in a secure location. Then, if the file recovery certificate or private key on your computer is ever damaged or deleted, you can use the Import command from Certificates in MMC to replace the damaged or deleted certificate and private key with the ones you have backed up on the floppy disk.
0
 

Author Comment

by:BSIM
ID: 8189033
hi crazyone,i did not designate a Recovery agent before i moved the files.  have tried the aesfdr,but doesn't seem to work? what can i do more? pls help!!!
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8189046
Is the disk and the machined it came from still available. If so booting to that disk on the machine it came from would probably be about the only way to decrypt the files
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8189050
>>>aesfdr,but doesn't seem to work?

How so. It should work if the files where encypted with EFS. Of course you have to buy it to get full benifit from it.
0
 

Author Comment

by:BSIM
ID: 8189051
No, the disk where the files came from has been formatted!
0
 
LVL 4

Assisted Solution

by:Ghost_Hacker
Ghost_Hacker earned 664 total points
ID: 8189488
If you have loss the "keys" (both user and recovery agent) due to reformatting, then the files can't be recovered.


Sorry, but you really gotta read up on EFS way before you decide to use it. It's not like other NTFS "rights".
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8189561
Also AESFDR only works if ".... can decrypt protected files only if encryption keys (at least, some of them) are still exist in the system and have not been tampered."


0
 

Author Comment

by:BSIM
ID: 8189597
really no way at all!!!
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8190154
Like I said BSIM

"Is the disk and the machined it came from still available. If so booting to that disk on the machine it came from would probably be about the only way to decrypt the files "
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8190169
One of the oxymoron's about Microsoft is that they aren't real good when it comes to security. But when is comes to EFS they out did themselves with something that actually works.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 664 total points
ID: 8194015
Reading an EFS volume *requires* the security keypair from its owner on the original machine.

This keypair is exportable, but of course you must have the original machine to do this :)

Instructions on how to export/import the key are here:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/server/encrypt_howto_backup_certificate.asp

(http://makeashorterlink.com/?A26422FE3)

once you have the key for that EFS folder on your new machine, the folder will work as before :)
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8194448
BSIM.. I agree with Ghost_Hacker and DaveHowe on this one, sounds as if you may be out of luck.  EFS is very effective, but you always want a couple of backups of your key.

Oh CrazyOne.  "One of the oxymoron's about Microsoft is that they aren't real good when it comes to security."

I must take exception to this statement.  MS operating systems are the most widely used in the world, thus they become the easiest target.  If a hacker is going to go after an OS, why would they go after a less widely used platform?  I do believe MS is to blame for their OS security issues, but NO system is totally secure.  We just find out about MS security flaws more as they get hacked a lot more.  At least they issue patches, and they are getting better at issuing patches in a timely manner.  As it stands now, Sun has a security hole in Java that they have not made public, they know about it, it is more than a year old and they have not even attempted to release a patch for it.  Give MS a bit of a break.  I do agree with your statement about EFS.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8194752
Well, the WSJ managed to break EFS in three days - maybe we could ask them :)
0
 

Author Comment

by:BSIM
ID: 8194835
who is WSJ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8194915
the american Wall Street Journal - they most conveniently broke EFS on a pc supposedly used for top level planning by OBL and found in a afganistan market......

0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8195040
MsGeek I would have to disagree with you in part. True MS OS's are the most targeted. But what I meant is that MS ,and Bill Gates even admitted to i.t that Security of their OS's until past few years ago some what low priority to them and they also admitted that because of this they were and are slow in impelemeting security because they weren't real experienced at it. There is still probably more back door exploits to a Win2000 Server then there are to Unix Solaris. :>)

BTW wasn't I first one to imply that there wasn't much hope in decrypting these files unless the original disk was still available. :>)
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8195085
Yup!
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8195450
yub :-) but he just wasn't "getting it".


Well as far as the WSJ thing goes, don't forget that Windows is closed source.

Sooooooooooooooo....who really knows what goes on in the dark pits of the Windows api. Use Windows for top secert stuff and you deserve what you get. Perhaps we should send OBL a few more Windows disks  :-)
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8195507
Well said Ghost. :>) got me to laugh.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8195533
Aslo BSIM WSJ was probably using a bunch of computers tied together running full bore to break the encryption and it took 3 days. So what chance do you think the average everyday run of the mil user has in doing the same thing?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 8196060
if it were decent crypto, it would take a bunch of computers tied together more than the expected lifetime of the planet.... so either

1) OBL used deliberately weak crypto (and we are to believe that OBL is so law abiding he obeys US export law rather than just downloading a copy from the web)
2) he used something obvious (like "KillTheInfidel") as a password or
3) it was fake.

given how much of the rest of the evidence surrounding the war on terror was falsified, it wouldn't surprise me if the nice and patriotic WSJ were handed this piece of propaganda and swallowed it hook, line and sinker.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8196115
:>)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8755060
Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover (decrypt) files encrypted on NTFS (EFS) partitions
http://www.elcomsoft.com/aefsdr.html

EFS Key Beta retrieves EFS-encrypted files from NTFS partitions.
http://www.lostpassword.com/efs.htm?id=efskey_5_5_400

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Expert Comment

by:CleanupPing
ID: 9070632
BSIM:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 9133248
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9133519
I disagree trywaredk. The original key cert still needs be accessible for that software to work. Since at least from the way the question is worded the encrypted files were moved but not the key so I don't think that program will work in this instance.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9133528
http://www.elcomsoft.com/AEFSDR/readme.txt

- The program can decrypt protected files only if encryption keys
  (at least, some of them) are still exist in the system and have
  not been tampered.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 9133668
CRAZYONE...""

:o) Sorry - I remembered the wrong url from http://www.experts-exchange.com/Security/Win_Security/Q_20664130.html

It's http://www.lostpassword.com/efs.htm?id=efskey_5_5_400#demo doing the job without encryption key if you can remember the password used.

0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9134725
Hmmm that might work the only problem I see in this case is

http://www.lostpassword.com/efs.htm?id=efskey_5_5_400#demo
Does not support Windows XP Serivice Pack 1

Although the user could move the files to a Win2000 machine and try it there.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month8 days, 14 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question