Solved

How can I use a brute force decrypt of XP encrypted files

Posted on 2009-07-10
6
1,601 Views
Last Modified: 2012-06-27
I have an number of files from an old PC, I can not remember the Username or Passwords and don't have the encryption keys. I guess the only alternative is a brute force decrypt. Is this possible or will it take 100 years?
0
Comment
Question by:VHLFV
6 Comments
 
LVL 19

Expert Comment

by:marsilies
ID: 24827914
The Encrypting File System XP uses is pretty strong, and requires a key for any type of decryption to be possible:
http://en.wikipedia.org/wiki/Encrypting_File_System#Security

Brute Force decryption hasn't been achieved with EFS:
http://www.hardforum.com/showthread.php?t=1062963
0
 
LVL 4

Expert Comment

by:ahmed-hesham
ID: 24828049
Dear Sir,
Please follow the exact steps in the case you don't have the encryption keys to the files you want to decrypt:
1. Login as Administrator
2. Go to Start/Run and type in cmd and click OK.
At the prompt type cipher /r:Eagent and press enter
This prompt will then display:
Please type in the password to protect your .PFX file:
Type in your Administrator password
Re-confirm your Administrator password
The prompt will then display
Your .CER file was created successfully.
Your .PFX file was created successfully.
The Eagent.cer and Eagent.pfx files will be saved in the current directory that is shown at the command prompt. Example: The command prompt displays C:\Documents and Settings\admin> the two files are saved in the admin folder. (For security concerns, you should house the two files in your Administrator folder or on a floppy disk).
3. Go to Start/Run and type in certmgr.msc and click OK. This will launch the Certificates Manager. Navigate to Personal and right click on "the folder" and select All Tasks/Import. The Certificate Import Wizard will appear. Click Next. Browse to the C:\Documents and Settings\admin folder. In the Open dialog box, change the Files of Type (at the bottom) to personal Information Exchange (*.pfx,*.P12). Select the file Eagent.pfx and click Open. Click Next. Type in your Administrator password (leave the two checkboxes blank) and click Next. Make sure the Radio button is active for the first option (Automatically select the certificate store based on the type of certifcate). Click Next. Click Finish. (You'll receive a message that the import was successful). To confirm the import, close Certificates Manager and re-open it. Expand the Personal folder and you will see a new subfolder labeled Certificates. Expand that folder and you will see the new entry in the right side column. Close Certificate Manager.
4. Go to Start/Run and type in secpol.msc and click OK. This will launch the Local Security Policy. Expand the Public Key Policies folder and then right click on the Encrypted File System subfolder and select Add Data Recovery Agent... The Wizard will then display. Click Next. Click the Browse Folders... button. Browse to the C:\Documents and Settings\admin folder. Select the Eagent.cer file and click Open. (The wizard will display the status User_Unknown. That's ok). Click Next. Click Finish. You will see a new entry in the right side column. Close the Local Security Policy.
The Administrator account is now configured as the default Recovery Agent for All Encrypted files on the Local Machine.

  • To Recover Encrypted files:
Scenario #1
If you have completed the above steps BEFORE an existing user encrypted his/her files, you can log in to your Administrator account and navigate to the encrypted file(s). Double click on the file(s) to view the contents.
Scenario #2
If you have completed the above steps AFTER an existing user has already encrypted his/her files, you must login to the applicable User's User Account and then immediately logout. Next, login to your Administrator account and navigate to the encrypted file(s). Double click on the file(s) to view the contents.

*Warning
Do not Delete or Rename a User's account from which will want to Recover the Encrypted Files. You will not be able to de-crypt the files using the steps outlined above.  
0
 
LVL 4

Expert Comment

by:ahmed-hesham
ID: 24828057
0
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 24828417
Assuming that the files have been encrypted with Windows EFS then the encryption certificate is assoicuated with the user who encrypted the file. If you can access that account chances of recovery are small - on a domain the Administrator (by default) has a data recovery agent certificate that can be used - but there is no recovery agent by default on a non-domain machine.

Elcomsoft claims to be able to recover encrypted files http://www.elcomsoft.com/aefsdr.html, but I don't have ant evidence that it works or how long it takes.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 250 total points
ID: 24839628
ahmed-hesham's suggestion would work if you could still log in as the original user.  As is, you cannot create a new EFS user.  If scenario #2 worked, you would already be able to decrypt the files and would not have posted this question I would think.  That is usually done as a logon script or GPO when pushing a new DRA.

Was this old enough to be installed and have EFS enable before service packs?  Or maybe you may have actually enabled a Data Recovery Agent (DRA) and don't remember?  You can check the properties of an encrypted file (not folder) - advanced - details - see what users are listed in the top as being able to do normal EFS encryption/decyrption, and if there are any user accounts in the lower box to indicate there is a DRA.

KCTS suggestion of using aefsdr is also good - if you knew the password.

If you ever made a password recovery diskette you can try using that to change the user's password to something known without screwing up EFS.  A normal password reset will dissociate the EFS key and not update it to use the new password.

Beyond making a backup copy of the hard drive and attempting to log in using some passwords you might have used, you're pretty much out of luck.  Beyond that, brute forcing the password is really the only way about it as the keys are considered to be unrealistic to break.  That's about all I can say about that matter within EE policy.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now