[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Lost Certificate and Private key of EFS XP Pro laptop.

Posted on 2007-07-30
9
Medium Priority
?
1,070 Views
Last Modified: 2013-12-04
XP Pro laptop hard drive crashed and it had EFS and the certificate and private key were never exported.  It was never part of a domain.  A full backup was made of the data (not OS system) 1 week prior to crash.  Can the data be recovered.
0
Comment
Question by:bluedwarf243
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 19

Accepted Solution

by:
CoccoBill earned 2000 total points
ID: 19598961
If the private key was not exported nor a domain recovery agent configured, I'm afraid the data cannot be recovered. The default recovery agent for a standalone computer is the local Administrator account, but if the OS files are missing there's not much you can do. You could try a software like Elcomsoft Advanced EFS Data Recovery (google for it, they have a free trial version), but I doubt it will be able to do anything without the private keys.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 19599427
Elcomsoft AEFSDR can only recover EFS files from XP if it has access to the keys.
An only-data-backup usually does not have the keys.
But you can always try: restore that backup on a seperate disk (if it's an image) or just under a folder. Then - using the trial version of AEFSDR - have it scan for the keys in that restore.
If it finds the keys it will tell you. You can not recover with the trial version but at least you'll know if it would be possible before you buy.
Anyway: I don't think you will be so lucky given the circumstances. 99.99...% chance that the data is lost.
Even data recovery companies will not be able to help you. That's what EFS was designed for.

J.
0
 

Author Comment

by:bluedwarf243
ID: 19600907
There was a full backup of the data only 1 week prior to the hard drive crash on the laptop.  Have you ever tryed moving or copying the data from a drive that had encrypted data on it to a FAT32 partition?  This could be done through running another backup or XCOPY.   Because if you could succesfully do that it would loose it encryption correct?  Then the data would be readable.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:CoccoBill
ID: 19601123
That's incorrect, the data will not be decrypted that simply. The encryption is only removed if a user that's logged in with access to the data copies it to a non-NTFS disk, otherwise it will be copied in encrypted form. As PowerIT said, that's the purpose of EFS, to secure the data so that it cannot be recovered by 3rd parties. Of course EFS isn't 100% secure, and it can be cracked. Apparently MS offers a service that attempts to recover missing private keys for a fee, check out this link with some more information on the subject:

http://www.beginningtoseethelight.org/efsrecovery/
0
 

Author Comment

by:bluedwarf243
ID: 19601317
Do you know where the exact default location of the private key on a windows C: system drive is?  The drive is in bad shape but all we need is that one private key because we have a backup of all the data.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 19601434
The MS service (RECCERTS.EXE, cost ca 280$) does the same as AEFSDR and will also not work with missing keys. To my knowledge, there is no backdoor. The link only explains a manual process. CoccoBill, if you have other information please post a direct link here.
BTW, this is about XP. Win2K was a different story...

The other thing: a succesfull copy by the original user to a FAT32 partition would indeed decrypt the files.
Because it was a long while ago I just tested it again and can confirm this.
So if your backup was an xcopy to a FAT32 made by the legitimate user then you should be able to read it.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 19601487
Have AEFSDR scan that disk. It is read only so should be OK.
Have to run now.

J.
0
 
LVL 4

Expert Comment

by:poseidoncanuck
ID: 19605485
A few points of clarification:
- MS support will give you a copy of Reccerts.exe without paying directly for the software - the price quoted ($280) is an average price for a PSS incident.  If you work for an organization that has any PSS/TAM contracts, and you can have them file an incident for you, then get them to request reccerts.exe for you.

- For most recovery applications, you'll need at minimum the user's Master Key file *and* the file that stores the user's RSA private key for EFS.
- - the Master Key file is found under here: c:\documents and settings\USERNAME\application data\microsoft\protect\  [There may be multiple files, so grab as many of them as you can]
- - the Private Key file is found under here: c:\documents and settings\USERNAME\application data\microsoft\crypto\RSA\ [There will likely be multiple files - grab as many of these as you can as well]
- You'll find the actual files stored in a subdirectory that corresponds to the user's SID
- If you get these files, then restore them as much as possible to a similar set of folders on a working system
- It's unlikely that you'll be able to reconstruct all the configuration details (at least, I've never tried 'cause it looks pretty complex) to be able to dump these files into a new user profile and have them "just work".  But who knows?  It's sure worth a try if you don't have any of the recovery tools available.  [If you have trouble with this, maybe you'll need to copy the user's digital certificate files as well: c:\documents and settings\USERNAME\Application Data\Microsoft\SystemCertificates\My\Certificates ]

- When the user who encrypted the files logs on and is able to *open* the encrypted files, only *then* will they be able to copy them to e.g. a FAT32 volume.  At that point, yes they'll be decrypted.
- The critical aspect to this is the user has to be able to decrypt the files, so they need to have access to their EFS private key.  Just logging on to the system won't work (unless the keys have been successfully recovered); having NTFS persmissions "access" won't work either (although that's also necessary, it's usually not the determining factor).
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question