Solved

Windows 7 encryption

Posted on 2011-03-02
17
398 Views
Last Modified: 2012-05-11
Hello Geniuses,
I have a clint with the following:
Win 7 x64, 300 GB HDD, 4 GB RAM.  He uses the program Calyx 7.2 for his business.  Issue is as follows:  Files are unable to be opened due to encryption (all in green).  Working with Calyx Support, they gave up and laid it at Microsofts door.  We were able to remove Read Only and File Encryption on some files and folders but not the hundreds of files necessary for the user to see the mortgage info he needs. I have shut off and turned back on ntfsdisableencryption in the registry.  Did not help,  Calyx Support went after it with everything they could come up with.  Files cannot be unencrypted due to permission issues.  All files and folders have God privledges so copying, deleting, etc. should not be an issue, but it is.

Any ideas?
jwhite273
0
Comment
Question by:jwhite273
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 7

Expert Comment

by:DIIRE
ID: 35026033
A little more information will help us to assist you.

When did the problem first occur.  Was the software ever able to access the files on the current pc?

Was it during migration from an old pc to a new one?

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35026255
You may have to try using Elcomsoft's AEFSDR tool, it works great, others have similar tools as well. It's only 149$ and it works great: http://www.elcomsoft.com/aefsdr.html
The one from Passware is 195$ http://www.lostpassword.com/efs.htm I've had much more success with Elcomsofts. Use the trial version first to make sure its doing what you need it to do. You can take ownership and control of all files on the HD by using these instructions:
http://technet.microsoft.com/en-us/library/cc753659.aspx
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 35034227
typically you need to get the recovery certificate (done in the backup process when creating EFS files) to recover the EFS protected files. Or activate the data recovery (typically the local admin)
http://www.vistax64.com/tutorials/99956-encrypted-file-system-efs-certificate-restore.html
http://www.vistax64.com/tutorials/99948-encrypted-file-system-efs-certificate-backup.html

See the troubleshooting - Unable to Open Encrypted Files
http://technet.microsoft.com/en-us/library/bb457116.aspx#EBAA

More info - Recovering Encrypted Data Using EFS
http://www.microsoft.com/technet/community/columns/5min/5min-401.mspx

there is more in depth approach though
http://www.beginningtoseethelight.org/efsrecovery/index.php
0
 

Author Comment

by:jwhite273
ID: 35044600
Hi All,
Have read and tried the valid documents that dealt with my issue.  So far, nothing.  As I posted earlier, only the contents of two folders within the Calyx program folder are inaccessible.  I have taken ownership of all the folders etc.  without success.  There has to be a way to get around.this.  Any ideas?  
Thanks,
jwhite273
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35044639
mount the drive in another PC, like an XP one that doesn't respect the file permissions as much as vista and 7 do. You can use an IDE/SATA to USB cable like this one: http://www.newegg.com/Product/Product.aspx?Item=N82E16812119244
or simply mount it as a secondary drive in another machine.. It's often easier that way to gain access, failing that you may even consider using Linux/Mac to read the drive as they have very little respect for NTFS permissions if any, and will let you read/copy any file you want. You can use the same USB adapter in linux/mac to read the drive.
-rich
0
 

Author Comment

by:jwhite273
ID: 35044843
Hi richrumbler,
Sweet.  Very unique idea.  I do have a Ubuntu USB for AV purposes.  Never thought about the slave drive move.  I'll see the client on Monday and let you know.
Thanks,
jwhite273
0
 
LVL 61

Expert Comment

by:btan
ID: 35045193
agreed with richrumble, thinking along the same line. maybe we can attempt the following

a) Copy over to another non NTFS formatted drive such as FAT (formatted thumbdrive) - http://www.eriugena.org/code/sendto/sendto-EFS-Raw.pdf

b) Understand that EFS does not keep its data encrypted if transfer over the network, maybe can try to copy over the folder/file over to another network mapped file server.
0
 

Author Comment

by:jwhite273
ID: 35087970
Ok, I tried pulling the drive and slaving it to my laptop (Win 7).  Data remained locked.  I used a Win XP ERD and tried to move data to my laptop drive.  Didn't work.  Booted my Ubuntu disk and tried the same, no go.  I'm at the end of my rope with this.  All the suggestions are good, but nothing is working.  I'm almost ready to have the client reenter all the data from paper files.

Last call, anyone have any other ideas?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35089178
Have you tried the trial version of AEFSDR? It should tell you if the full version can recover the files. EFS is one of the worst encryption products to manage and use correctly. As to why you can't gain access to the files via ownership, I don't know why that is, but I guess you'd have to have that access first before elcomsoft's AEFSDR would work...
-rich
0
 

Author Comment

by:jwhite273
ID: 35124121
Hi richrumble,
I've done everything except the AEFSDR.  I have a friend who is going to let me use his copy on this clients PC.  I'm seeing the client tomorrow, so it's this or nothing.  
Thanks,
jwhite273
0
 
LVL 61

Expert Comment

by:btan
ID: 35129164
agree with richrumble, if we cannot even access the file to extend of shifting it, doubt software can do much as it stay depends on OS to help in 'opening' access to the application. do keep us posted.
0
 

Author Comment

by:jwhite273
ID: 35129306
Hello all,
AEFSDR did not work in this situation.  We are looking to get permissions to work on about 500 files.  I'm thinking rebuild now unless one of you folks has another trick up your sleeve.

Thanks,
jwhite273
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35130715
If AEFSDR didn't work then it's more than likely the FEK is not present on the local system, I'm not sure where one looks to try alternative FEK's or using the Domain Administrator keys. File encryption is good and bad. The bad part is, well it's technically the good part, but nonetheless recovery of the files is impossible (for augments sake) if it's done right. Plain-text backups of the data are essential, failing that the keys have to be backed up just as well. You may try to use the Cipher.exe command to perhaps help you track down the FEK for the files, if nothing else find the DRA that might help further:
cipher.exe /h /c c:\path\to\file(s) (before doing any of this make copies of the files, and do these command son them...)
cipher.exe /r
There maybe more options to use, but if AEFSDR didn't work, I'm not sure what else might. The files should be recovered from the PC they originally resided on for your best chance.
-rich

0
 
LVL 61

Expert Comment

by:btan
ID: 35133631
the FEK is actually a alternate data stream of the file, that is why it is supported only in ntfs format. the command would help and by default local admin is also the default recovery agent. if that canwork out, suggest looking for forensic leftover instead.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 35133667
Domain joined PC's the Domain admin is the DRA, for workgroup it's the local admin.
-rich
0
 

Accepted Solution

by:
jwhite273 earned 0 total points
ID: 35150836
Hi all,
We have tried all the options you folks have come up with.  Everyone sounds like it's the right one.  However, after about 6 hours invested in this machine, the client has decided to replace the box.  I do appreciate all the help from you folks.  You came up with options I never would have come up with myself and I am grateful.

jwhite
0
 

Author Closing Comment

by:jwhite273
ID: 35178816
Client purchasing new PC.  Everything we tried failed in his instance.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now