Decrypt Files - No Keys

Steve Marin
Steve Marin used Ask the Experts™
on
Experts,

I have a serious problem. I have a client that had a bunch of personal data on his work laptop. He retired and sent the laptop back , only before I copied over his documents and music...etc. Well I just went to copy back his data to his new computer and found out that the files are encrypted. I have no way to decrypt them as the laptop was sent back and most likely the HDD was destroyed. So is there any hope of decrypting the files? I have already tried Advnaced EFS Data Recovery but it says the files are not decryptable.

Thanks,


--Steve
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
How did you copy the files off of the old computer?
Steve MarinIT Consultant

Author

Commented:
drag and drop. copied the directories needed and pasted them onto a USB HDD.
And now you see what on the USB HDD? You see the directory structure and files, as you copied them, but when you try to open them they're encrypted?
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Steve MarinIT Consultant

Author

Commented:
Correct the files are all there but when you try and copy or open anything it does not allow you.
Any chance you could record a screencast so I can see what you're seeing?
Steve MarinIT Consultant

Author

Commented:
Steve MarinIT Consultant

Author

Commented:
Were you able to look at the screencast?
Exec Consultant
Distinguished Expert 2018
Commented:
Files and folders are decrypted before being copied to a volume formatted with another file system, like FAT 32. Finally , when encrypted files are copied over the network using the SMB / CIFS protocol , the files are decrypted before they are sent over the network .

If EFS is configured to use keys issued by a Public Key Infrastructure and the PKI is configured to enable Key Archival and Recovery , encrypted files can be recovered by recovering the private key first .

If you did not backup your keys, but have permitted other users to EFS share your encrypted files, those users can recover your data .

http://www.stanford.edu/group/security/securecomputing/pc_file_encryption.html
btanExec Consultant
Distinguished Expert 2018

Commented:
this is another useful references but it states much to get info from the user machine. if it is not functioning, forensic of machine would be last resort or brute force which may not be logical as final resort. see its "r e c o v e r y w i t h n o i n f o r m a t i o n a t a l l - s p e c i a l i s t m e t h o d s"

http://www.beginningtoseethelight.org/efsrecovery/
Steve MarinIT Consultant

Author

Commented:
I'm still in need of getting info if this will be possible to remedy.....


--Steve
btanExec Consultant
Distinguished Expert 2018

Commented:
without the user private key in his machine, it is tough to decrypt his data esp when the HDD is not available. Otherwise if there is backup of the issued keyset certificate, we can try to setup in new machine. Likewise, if copying can be done through network or into non-NTFS storage, there can be some hope.

Else suggest professional support to recover HDD, there is such expertise to reconstruct as long as it is not of intense physical damage on key sector storing those data or even keyset.

There is also data recovery agent such as local admin or domain admin as the contigencies. They would be transparent when efs is enabled.

But the above is possibilities relying on the efs fundamentals but from the Advanced EFS Data Recovery website, its professional (not trial) does share it is capable to handle this situation. As consumer, can consider dropping them an email on this, they would be able to assist or minimally, confirmed it is "non-decryptable"

http://www.elcomsoft.com/aefsdr.html

Just some thoughts.
TolomirAdministrator
Top Expert 2005

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial