?
Solved

EFS recovery(many topics but i haven't found the good idea)

Posted on 2006-05-30
13
Medium Priority
?
316 Views
Last Modified: 2010-04-11
You know how XP Pro lets encrypting files and folders when you press right mouse button on Properties, and the file changes colour into green?
Well, i protected my most important files with that, and then I forgot to decrypt them, before I formated my partition where my OS was installed..
Now I installed new XP Pro on same partition, but the encrypted files are not accecable anymore...
I tryed using "EFS Key 7.1" and "Advanced EFS Data recover", but no luck with any of them..
I will kill myself if I don't manage to get my files back..
Anyone knows how to decrypt these files now???

I forgot to make PRIVATE KEY before the account has been deleting. Help help!
0
Comment
Question by:vnitlove
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 16789385
There is no solution to this problem.  You must either decrypt the files before doing what you did OR must have made a recovery key.  Please don't blame me but this encryption scheme was SPECIFICALLY designed to prevent what you want to do.  Namely, do a post-mortem recovery of the data without a saved private key.  

If you didn't want the files to be secured you should not have encrypted them.
0
 
LVL 32

Expert Comment

by:jhance
ID: 16789392
Please DON'T kill youself over this.  Regardless of what was lost, the situation won't be helped by doing that.
0
 
LVL 1

Expert Comment

by:matte2006
ID: 16797014
http://www.elcomsoft.com/aefsdr.html

Try going to this website, it talks of being able to recover data from Encrypted File Systems.

Good Luck
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 16817792
I believe the asker has tried AEFSDR, and in this situation it won't work. The only possible solution as i see it, is to use a data-recovery program to find the old key, however this is not a very good solution. Other than that, you may be able to find a plain-text copy of the files using the same sort of data-recovery software. EFS copies all the files your encrypting into a plain-text file in the same directory the data resides. So if you had files in My Documents that you encrypted, EFS made a plain-text copy of them in that dir, and the "deleted" those temp files... it's not wiped... but marked on the file allocation table as deleted. IF those files are on a partion where you did not reinstall the os, your chance of recovery is greater... but still difficult.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Reducing the Risk of Discovery of Plaintext Shreds
EFS incorporates a crash recovery scheme whereby no data is lost in the event of a fatal error such as system crash, disk full, or hardware failure. This is accomplished by creating a plaintext backup of the original file being encrypted or decrypted. Once the original is successfully encrypted or decrypted, the backup is deleted. Creating a plaintext copy has a side effect; the plaintext version of the file may exist on the disk until those disk blocks are overwritten by NTFS for some other file.
The recommended way to encrypt sensitive data using EFS is to create a folder, set the encrypt attribute on it, and then create files within it. If this is done, the files will be encrypted from the start. EFS will never create a backup file containing plaintext; this ensures that there will never be plaintext shreds on the drive.
============
So if the folder where these files resided, were not copied to an already encrypted folder, there is a chance... the less you mess with that directory and or hard-drive the better... if you've ever looked at a "disk defrag" utility, you can see how files can be scattered all over the HD, and it's very possible that one file that resides in lets say "my documents" folder, could potentially be at one end of th disk, and another file in my docs could be at the other end of the disk...
IF you do decide to try to recover the plain-text versions of these files with a low-level data recovery utility, do not install the utility on the HD you need to get the data from... buy a new HD or use another PC to scan the HD you need to find the data on, the more you mess with the current HD, the less your chances of finding the data...
efs makes copies of the files using the convention of
efs0.tmp  efs1.tmp  efs2.tmp etc...  http://www.ntfs.com/internals-encrypted-files.htm
-rich
0
 

Author Comment

by:vnitlove
ID: 16821771
thanks richrumble so much. I will try it soon.
Could you tell me the best low-level data recovery utility?
0
 
LVL 3

Expert Comment

by:cduke250
ID: 16825974
Bummer, I feel your pain.

What I would do right now is buy Norton Ghost and Make a bit by bit backup of your entire hard-drive to DVD's or to a different hard-drive.  

That way, if one of your attempts at recovering the files fails miserably and you accidently totally erase any chance at getting them back,   All you have to do is use ghost to copy it back onto your hard-drive and then you can try again and again.

I'm speaking from a lot of past experience recovering non-encrypted (but deleted or reformatted) data on hard-drives..  it is one LONGGG time-consuming processs.

You should weigh how much your time and energy and health are worth vs. paying an expert data recovery specialist to handle it for you.  If the files are that important, unplug your computer right now and don't turn it on again until a data recovery specialist has told you too.

Good Luck
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16827839
I'm afraid norton ghost doesn't work like that... While it will image the data on the drive, that you can use as a back-up most certainly... it will not image "deleted" data. or formated data. Norton reads the File Allocation Table (or journal in the case of NTFS) and creates it's images from that, norton does not do bit-for-bit copying/imaging.  Reading about the "disable smart sector" copying method could lead someone to believe that norton copies the data if it's marked as deleted or not, however this is not the case in my findings, I've checked with every version since 4.0 till now 10.0.
Save your money for a professional if you must have the data back, the more you mess with that HD, the less likely anyone is to recover it.
There are devices out there that will do bit-for-bit copying of HD's but ghost isn't one of them. As mentioned before, if you need the data it's best to consult a professional, and be sure to ask about their garuntee's up front, and especially what they think the chances of recovery are.
-rich
0
 
LVL 3

Expert Comment

by:cduke250
ID: 16850879
Yes rich is right, norton only does bit-by-bit copies if you tell it too.  It might be in the advanced section of the norton menu.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16851040
I've found that even if you tell it todo the bit-by-bit copy, that old deleted data isn't recoverable, our corporation explored this topic for many months, and we used everything we could think of. On-Track's recovery programs and Spin-Rite from grc.com proved to be very good at recovering data from the original hd, the ghosted data never produced anything that was recoverable for us using the same tools.
-rich
0
 
LVL 3

Expert Comment

by:cduke250
ID: 16882017
Really? That is good to know rich~!

Yes I can also recommend Spin-Rite from grc.com, great guys and great product!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question