Solved

Decrypting file encrypted in Explorer

Posted on 2007-11-27
6
1,872 Views
Last Modified: 2008-03-17
Issue:  File encrypted in Explorer with the RightClick/Properties/Advanced/Encrypt thing.  File is on Seagate external HD.  Then Windows is reinstalled on PC.  Now can't decrypt file.  Anything that can be done or are we toast?

Thanks, Ron Hicks
0
Comment
Question by:Ronald Hicks
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
dworlton earned 250 total points
ID: 20358208
Unless you are on a domain and created a recovery agent prior to encryption, then you are most likely toast. EFS is not meant to be recovered without the original encrypting users certificates which are stored on the local hard drive. The recovery agent is the only other way to be able to restore something encrypted with EFS.

Here is a link for info about decrypting EFS without the encrypting certificate (notice recovery agent needed):
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true
 
And here is a link explaining how to set up recovery agents:
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true
0
 

Author Comment

by:Ronald Hicks
ID: 20362680
I read in a 2004 thread the suggestion that OpenOffice might be able to open such an encrypted file.  Got any information or an opinion on that?  Maybe it worked once upon a time but EFS has been tightened since then.  --ron
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 250 total points
ID: 20506507
Openoffice might be able to bypass a word password by some means but not the EFS encryption.

But that encryption goes a bit deeper. So yes toast.

You might be able to use some recovery software like oo-software unerease, maybe there is something left of the original unencrypted file, since windows, afaik, doesn't overwrite the old unencrypted file just masks it as deleted.

the free trial version is able to identify possible leftovers on the hard disk:
http://www.oo-software.com/home/en/products/oounerase/

O&O UnErase 4 makes the restoration of deleted data as easy as "a walk in the park". With the help of a new and one-of-a-kind algorithm, more files can be restored than ever before.
Within a matter of seconds, O&O UnErase 4 finds your deleted files and restores them with just the click of a button. The original filename and directory structure are also restored as if nothing had been deleted in the first place.

Tolomir

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:Ronald Hicks
ID: 20511159
Still subject the ravages of time as sectors are released and overwritten though I suppose.  It's been over a month now, so i wouldn't expect to find many intact file fragments.  It is very useful to know how EFS works; that it marks the original file as deleted and encrypts a copy.  Very useful indeed.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 20511935
you can test for yourself. take a 500 mb big file (like an iso image) and let windows encrypt that file. you will see that a tmp file will appear and after the conversion is finished the tmp file disappears with the original file and a "new" (the renamed tmp file) in blue appears (if you let windows mark all compressed fkiles with blue, windows explorer setting)

Here are some more details: http://en.wikipedia.org/wiki/Encrypting_File_System

Btw. if you need an encryption you should go with truecrypt: www.truecrypt.org

That is plattform independent, doesn't care about the users password as with efs and it's free opensource:

# Creates a virtual encrypted disk within a file and mounts it as a real disk.
# Encrypts an entire hard disk partition or a storage device such as USB flash drive.
# Encryption is automatic, real-time (on-the-fly) and transparent.
# Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Hidden volume (steganography  more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

# Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.

Tolomir
0
 

Author Comment

by:Ronald Hicks
ID: 20512488
Very useful addition to this thread.  Thank you.  I wish I could give points.  Others will thank you too I'm sure.  --ron
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now