how do i recover and employ deleted efs certicates to decrypt a directory on my local drive d:

I am trying to recover erased Vista efs certificates. The customer lost his keys and no disk writing has occurred after the loss (erased?). Standard data recovery tools should bring back the missing certificates but I'm not sure what needs to be recoverd and where to put the recovered items so that I can decrypt a certain directory that the user has encrypted. I only have a bit copy of his drive set up as drive D: on my system.

Thanks
gbulgerAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
You install the DRA cert on the user box when everything is working normally.  The DRA cert is the ounce of prevention...  You can't apply it afterwards without the user logging in to update the existing encrypted files, as they would need to log in to decrypt them to re-encrypt them with their cert and the DRA cert.  It isn't magic.  In other words - if you didn't already have the DRA installed, then forget about that for now and move on, then when this fire is out take your new DRA cert, back up the PFX in at least 3 different physical locations (USB flash drives, CD, etc.), then put it into group policy so all of your clients will use the same DRA cert so you are prepared for next time.

For now, I would see if you can take the information from the 3rd paragraph from my last post and do something with that.  If that doesn't work then you might need to chalk this one up to experience and either let it go or bring it into a data recovery specialist like DriveSavers (which isn't cheap and still isn't guaranteed).

If the private key or any single bit of the encrypted file got overwritten, you're not going to get anywhere with standard tools.  Sometimes you get lucky, sometimes you don't, and sometimes you pay a few hundred bucks or more to get the pros with the special equipment that can read lost data better than a utility you can download.
0
 
ParanormasticCryptographic EngineerCommented:
If you happen to have a Data Recovery Agent set up, that would be the easiest to do that (default would be local admin)..  If you don't have a DRA then read this thread, it sounds pretty similar:
http://www.experts-exchange.com/Security/Encryption/Q_23998823.html

Take note of the product recommendation in post 23231153
0
 
gbulgerAuthor Commented:
I'm not sure what to do next. I have tried to set myself up as a recovery agent by:

- log in as administrator

- run "cipher /r: gordon" which placed a .pfx and .cer in the administrators directory. these arye the recovery agent's public and and private certificate keys I presume.

- I imported the pfx file by clicking on it to open the import wizard then ran "start-run-secpol.msc" and selected "Public Key Policy-EFS" in selected "add data

recovery agent" and selected the .cer file.

I ran data recovery sw on his drive and recovered several .pfx files which may be his missing private keys. His drive is locally hooked up as the second disk on my recovery computer.

How do I use these keys? I have aefsdr pro. Is the pfx key I generated with the .cer key ever used in ths process?

Sorry to be so stupid.
0
 
ParanormasticCryptographic EngineerCommented:
The DRA cert would need to be installed on the user box prior to requiring its use, not after.  You could use the DRA in place of their certificate to decrypt the data during the aefsdr recovery process.

The pfx files from the user hard drive might be of use if the user happens to remember the password to them - if you can copy them off that disk to your workstation you can have him try some of his typical passwords on that, and if it locks out then you can just pop in another copy.  You will need to unlock that in order to move forward recovering the encrypted data.

Alternatively, you can see if aefsdr pro will have any luck with the files located in the %userprofile%\Application Data\Microsoft\Crypto\RSA\%sid% directory.  This is where the private keys are stored.  Note: the file names will just be random characters with no extension - this is fine and normal.


From your previous comment - yes the pfx has both the public and private keysets included with the cert and is usually password protected.  You would put the .cer file (public key only with the cert) into your policy settings (local policy, GPO, etc.) and use the pfx for decryption processes.
0
 
gbulgerAuthor Commented:
How do I install the dra cert files on the user box if I don't have a booting drive from the user?
As it stands I have his drive only as a local drive g: attached to my recovery computer?  What are the steps involved in using the DRA in place of of their certificate to then decrypt the data? I am really a beginner here (obviously).

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.