Solved

Encrypted files under a domain that no longer exists!!

Posted on 2004-03-24
12
432 Views
Last Modified: 2010-04-11
Hi guys,

I really need your help on this one! Here's the deal:

My company just changed domains (deleting subdomains for OU's). This is a Windows 2000 network.

It just so happens that a user has enabled encryption on a folder that contains VERY important billing information for our clients. Needless to say this annual billing should have happened yesterday (literally).

Encrypting folders is based on GUID's and only the owner of the folder or the EFS Recovery Agent (built in domain account) can decrypt these folders. These two are members of a domain that no longer exists and there is no existing copy of the Recovery Agent's private key.

I found one decrypting tool that didn't work.

The only solution I am seeing is that I find an old backup of the AD, restore it onto a machine (that is NOT network connected) get the files to this machine and decrypt.

Is this doable for you guys? Do you know another solution?

With thanks in advance,

Daniel F.
0
Comment
Question by:DanniF
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 300 total points
ID: 10667184
Greetings DanniF,
Read through this thread - I'd say, unfortunately, your chances of successful results are 1 in 100 (and I'm seriously being generous). http:Q_20916214.html

It 'may' be possible as you've described (you'll only lose time if not) - but I don't think you'll get very far.  If the key isn't available - you won't be able to open the folder.

The link above also has some tools to try - one of which supposedly worked for the author...Good luck!
~sirbounty
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 10667732
There are 2 or 3 other ways besides the decrypting tools, however they work just as seldome :(
EFS makes Plain Text copy of the file's or folders to be encrypted on your HD- those files are then deleted- they can be recovered by using a low-level file recovery program- the only free won I know that works is disk probe (dskprobe.exe) http://support.microsoft.com/default.aspx?scid=kb;EN-US;206848 the link at the top of the page is where you'll actually need to DL the utilities- dskprobe is in those.

The plain text files EFS uses are named like this efsX.tmp where X is an interger starting at 0 and incrementing. efs0.tmp efs1.tmp efs2.tmp etc.... There are plenty of other file recovery programs or "undelete" utilities out there- most will have an evaluation so you can see if it finds the files your looking for before you buy.
http://www.bitmart.net/
http://www.file-recovery.net/soft.htm (claims to do efs... probably looks for those same files...)

You may have more recovery agents than you know... try efsinfo.exe on the files...
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/efsinfo-o.asp

Another recovery method (but in this case it most likely wont work) is to copy the files to a non NTFS drive, like fat32 or a samba share. Also the FEK does change if you copy the files off to another standalone computer (not in a domain) and on NTFS... and if you take-ownership of the file you may be able to decrypt them... if you are allowed to copy the files or folders... they become plain-text over the network..

The elcomsoft program is supposed to be the best... I've used it, but not in the same situation as yourself. The thread that is linked above is long, but contains some good tips.
-GL!
rich



0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10668087
Purchase this one - it works - you could eventually try their free evaluation (only read)

Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover (decrypt) files encrypted on NTFS (EFS) partitions
http://www.elcomsoft.com/aefsdr.html

Next time, remember ...

HOW TO: Back Up the Recovery Agent Encrypting File System Private Key in Windows 2000
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q241/2/01.asp&NoWebContent=1

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 30

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 100 total points
ID: 10668199
Maybe the login is still cached on that computer.

Have you tried unplugging it from the network and logging in with the old credentials? They could be cached....

If not trying logging on with the "oldname@olddmain.com" user name format and they your old password.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10668273
that is a good idea also...
0
 
LVL 6

Author Comment

by:DanniF
ID: 10668290
Hi guys and thanks to you all for the quick responses!

I have already tried AEFSDR, it finds some keys (most in red) and can not decrypt the files.

I have also tried EFS Key (which worked for the other guy in http://www.experts-exchange.com/Security/Win_Security/Q_20916214.html) and it got me to the point where it asks me for the user password, I enter the password for the user who can decrypt this file (verified by efsinfo) but it doesn't work.

I have tried to log on with oldname@olddomain.com with the cable unplugged, still no go.

I am seriously thinking about starting the restore of an old BDC although i prefer not to as this will be a long and painful process.

thanks,
Daniel F.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 10668318
Hey sirbounty,

What was that other thread we were in sometime last week and they were able to log in with their old account somehow and decrypt them?
0
 
LVL 6

Author Comment

by:DanniF
ID: 10668332
Thats probably the one i just linked to no?
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 10668453
Ah...yes you be correct.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10669847
Yep. ;)
Welcome to the huddle once again diggisaur.  :D
0
 
LVL 6

Author Comment

by:DanniF
ID: 10676047
Hi guys,

Thanks for your help, after trying all tools and all solutions I could find I proposed the idea of restoring an old DC and the owner's of the file decided it wasn't necessary (phew).

Thank you all for your help and see you around the forums ;)

Best Regards,

Daniel F.
MCSA, MCSE, A+, Network+
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 10676131
Glad to of helped. :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now