[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1889
  • Last Modified:

EFS Decryption

Hi, I have a problem similar to others that have been asked here regarding EFS decryption.

Some time ago I was using a laptop with Windows XP Professional SP2 that I used to encrypt some files using Windows' EFS system (Right click/Properties/Advanced/Encrypt contents to secure data). That laptop I was using well and truly screwed up, but I was able to access my hard drive via a program called Winternals and copy all of my files to a CD.. this means I did not backup any Certificates or Recovery Agents or anything, I simply copy & pasted the files to a different location.

Now I am using a completely computer and I sold the old laptop. Now my problem is that I want to decrypt some files that I had previously encrypted on the older machine using Windows XP's EFS. Now that I have the files on my current machine, they appear to be just simple files to the computer, that is they are not regarded as encrypted and thus aren't coloured in green. But when I try to open them they are still encrypted.

The files are .jpg image files and when they are opened don't preview and aren't recognised by the applications but they are still regarded as .jpg files in windows explorer (i.e. they still have .jpg extension and have the .jpg file icon).

I have done a lot of research on this and can't come up with any results.
- I've tried AEFSR from elcomsoft but that doesn't work as it tries to search my computer for keys of which don't exist.
- I can't use data recovery although I have tried, since this machine has never had the original decrypted files and hence weren't deleted from this hard disk when encrypted by EFS. I also don't have the old machine that did encrypt the files.
- http://www.beginningtoseethelight.org/efsrecovery/ contains and interesting article that I have tried my best to follow but find a lot of the instructions unclear.
- Apparently Microsoft have developed reccerts.exe and can send it to me for a fixed £40 charge (for contacting their support professionals). I'm not sure whether this would fix my problem so I'm unwilling to waste £40 on this unless I know for sure its gonna' work.

As a quick introduction to decrypting in EFS apprently it is done by:
- Taking either: private key of user or recovery agent
- Using this to decrypt the FEK (File encryption key) stored inside the encrypted file via RSA algorithm
- Using this FEK in turn to decrypt the file using either one of the following algorithms: DES, AES, DESX, Triple-DES. (I'm pretty sure that DES was used when encrypting my files as it tend to be default according to my registry on my current machine)

I'm out of ideas now, which is why I'm asking you guys for help.

Thanks in advance, Jonathon.
1 Solution
You could give this a try:


but I doubt with just the encrypted files and no windows systemfiles in the background, it will not be possible to really decrypt your files.But give it a try:

An unregistered (trial) version of Advanced EFS Data Recovery decrypts only first 512 bytes of all files, padding the rest of content with zeros (the source/encrypted files remain untouched).

henderbopsAuthor Commented:
I have tried that application and as mentioned above it did not work because it searched for non-existant keys within my current machine. As of yet I am still stuck for clues on how to do this. Thanks for your attempt.

You can't recover those files. You need your original PC with original OS. Keys are 512 to 2048 bits - cracking will be entirely unrealistic.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

henderbopsAuthor Commented:
Yeah I thought as much..

I'm sure I've read somewhere about the windows username and password being hashed to create something to help you decrypt. Well, I'm still hopeful, surely it can be done, its just extremely difficult.
Unfortunately, the "extremely difficult" prospect is as NetSecX indicated - brute-force cracking the actual encryption keys without the files in which the keys were stored is pretty unrealistic for anyone but the NSA (or other orgs with large budgets for dedicated key-cracking hardware).

The only practical possibility that hasn't been definitively answered by you yet is this: did you backup ANY files under C:\Documents and Settings\ ?  If not, then it's off to the NSA... If so, and you still have that backup, then look for files under the following directories:
c:\documents and settings\USERNAME\application data\microsoft\protect\
c:\documents and settings\USERNAME\application data\microsoft\crypto\RSA\
c:\documents and settings\USERNAME\Application Data\Microsoft\SystemCertificates\My\Certificates

A little more information in the other post I made today on this: http://www.experts-exchange.com/Security/Misc/Q_22729539.html

[Yes, I suspect you already answered this implicitly by what you indicated about AEFSDR not finding non-existent files, but I really want to be sure before we slam the door on this, the only real option.]

If AEFSDR fails, then I wouldn't waste the extra 40 quid on Microsoft - Reccerts will just go looking for those same non-existent files, and will make you feel worse for paying $$ to the dopes got you into this situation in the first place. :(
henderbopsAuthor Commented:
yeah that is about my only hope I guess, do you know how to go about brute forcing the encryption keys? Exactly what is brute forced? is it the FEK or is it the private key used to decrypt the FEK? Are there any apps that can attempt this?

henderbopsAuthor Commented:
Does anyone know of any applications that could attempt to brute force the keys for a file?

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now