[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Encrypted files under a domain that no longer exists!!

Hi guys,

I really need your help on this one! Here's the deal:

My company just changed domains (deleting subdomains for OU's). This is a Windows 2000 network.

It just so happens that a user has enabled encryption on a folder that contains VERY important billing information for our clients. Needless to say this annual billing should have happened yesterday (literally).

Encrypting folders is based on GUID's and only the owner of the folder or the EFS Recovery Agent (built in domain account) can decrypt these folders. These two are members of a domain that no longer exists and there is no existing copy of the Recovery Agent's private key.

I found one decrypting tool that didn't work.

The only solution I am seeing is that I find an old backup of the AD, restore it onto a machine (that is NOT network connected) get the files to this machine and decrypt.

Is this doable for you guys? Do you know another solution?

With thanks in advance,

Daniel F.
0
DanniF
Asked:
DanniF
  • 4
  • 3
  • 2
  • +2
3 Solutions
 
sirbountyCommented:
Greetings DanniF,
Read through this thread - I'd say, unfortunately, your chances of successful results are 1 in 100 (and I'm seriously being generous). http:Q_20916214.html

It 'may' be possible as you've described (you'll only lose time if not) - but I don't think you'll get very far.  If the key isn't available - you won't be able to open the folder.

The link above also has some tools to try - one of which supposedly worked for the author...Good luck!
~sirbounty
0
 
Rich RumbleSecurity SamuraiCommented:
There are 2 or 3 other ways besides the decrypting tools, however they work just as seldome :(
EFS makes Plain Text copy of the file's or folders to be encrypted on your HD- those files are then deleted- they can be recovered by using a low-level file recovery program- the only free won I know that works is disk probe (dskprobe.exe) http://support.microsoft.com/default.aspx?scid=kb;EN-US;206848 the link at the top of the page is where you'll actually need to DL the utilities- dskprobe is in those.

The plain text files EFS uses are named like this efsX.tmp where X is an interger starting at 0 and incrementing. efs0.tmp efs1.tmp efs2.tmp etc.... There are plenty of other file recovery programs or "undelete" utilities out there- most will have an evaluation so you can see if it finds the files your looking for before you buy.
http://www.bitmart.net/
http://www.file-recovery.net/soft.htm (claims to do efs... probably looks for those same files...)

You may have more recovery agents than you know... try efsinfo.exe on the files...
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/efsinfo-o.asp

Another recovery method (but in this case it most likely wont work) is to copy the files to a non NTFS drive, like fat32 or a samba share. Also the FEK does change if you copy the files off to another standalone computer (not in a domain) and on NTFS... and if you take-ownership of the file you may be able to decrypt them... if you are allowed to copy the files or folders... they become plain-text over the network..

The elcomsoft program is supposed to be the best... I've used it, but not in the same situation as yourself. The thread that is linked above is long, but contains some good tips.
-GL!
rich



0
 
trywaredkCommented:
Purchase this one - it works - you could eventually try their free evaluation (only read)

Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover (decrypt) files encrypted on NTFS (EFS) partitions
http://www.elcomsoft.com/aefsdr.html

Next time, remember ...

HOW TO: Back Up the Recovery Agent Encrypting File System Private Key in Windows 2000
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q241/2/01.asp&NoWebContent=1

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
Gareth GudgerCommented:
Maybe the login is still cached on that computer.

Have you tried unplugging it from the network and logging in with the old credentials? They could be cached....

If not trying logging on with the "oldname@olddmain.com" user name format and they your old password.
0
 
Rich RumbleSecurity SamuraiCommented:
that is a good idea also...
0
 
DanniFAuthor Commented:
Hi guys and thanks to you all for the quick responses!

I have already tried AEFSDR, it finds some keys (most in red) and can not decrypt the files.

I have also tried EFS Key (which worked for the other guy in http://www.experts-exchange.com/Security/Win_Security/Q_20916214.html) and it got me to the point where it asks me for the user password, I enter the password for the user who can decrypt this file (verified by efsinfo) but it doesn't work.

I have tried to log on with oldname@olddomain.com with the cable unplugged, still no go.

I am seriously thinking about starting the restore of an old BDC although i prefer not to as this will be a long and painful process.

thanks,
Daniel F.
0
 
Gareth GudgerCommented:
Hey sirbounty,

What was that other thread we were in sometime last week and they were able to log in with their old account somehow and decrypt them?
0
 
DanniFAuthor Commented:
Thats probably the one i just linked to no?
0
 
Gareth GudgerCommented:
Ah...yes you be correct.
0
 
sirbountyCommented:
Yep. ;)
Welcome to the huddle once again diggisaur.  :D
0
 
DanniFAuthor Commented:
Hi guys,

Thanks for your help, after trying all tools and all solutions I could find I proposed the idea of restoring an old DC and the owner's of the file decided it wasn't necessary (phew).

Thank you all for your help and see you around the forums ;)

Best Regards,

Daniel F.
MCSA, MCSE, A+, Network+
0
 
Gareth GudgerCommented:
Glad to of helped. :)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now