Solved

How to recover private key certificates from a bkp HD?

Posted on 2011-09-09
11
872 Views
Last Modified: 2012-05-12
Hi,

I had a bad HD so I installed windows on the new one, and copied all files I wanted from the bad hd.
The only thing that I could not get back, are my private certificates. I have 1 or 2 exported as pfx format and all of them exported as p7b, but the p7b does not include the private ceritificate, so I cannot use it.

I still have the bad HD with me (which does not boot), so is there a way to recover the ceritifcate files from the bad hd?
0
Comment
Question by:tarcis
  • 6
  • 5
11 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36513752
It might be possible to recover the private keys but it will depend on several factors.

Are you in an Active Directory Domain?

Were the certs issued from an internal CA, a 3rd party vendor or did you create them manually with a utility such as OpenSSL, KeyStore Explorer, Portecle, etc.?

If an internal CA, does the CA have key archival turned on?

Do you know the password used to encrypt the private key?

Do you know if the private keys are marked as exportable?

You said you could access the bad HD but it will not boot.  Are you accessing it as a slave drive or connected via an adapter?

Does the drive have corrupted data?

Let me know the answers to these questions and I’ll give you my opinion as to the recoverability of the private keys.
0
 
LVL 2

Author Comment

by:tarcis
ID: 36513981
Are you in an Active Directory Domain?
No, its a home pc

Were the certs issued from an internal CA, a 3rd party vendor or did you create them manually with a utility such as OpenSSL, KeyStore Explorer, Portecle, etc.?
They were issued from certsign its a A1 certificate used to login to government taxes websites.

If an internal CA, does the CA have key archival turned on?
does not apply

Do you know the password used to encrypt the private key?
yes

Do you know if the private keys are marked as exportable?
the certificates were installed on the machine (visible in IE->certificates, not exported as a file

You said you could access the bad HD but it will not boot.  Are you accessing it as a slave drive or connected via an adapter?
Im acessing it as a slave drive, but I looked and all files are there exept the windows folder (if you I need the windows folder, i can try to recover using a recovery software.

Does the drive have corrupted data?
it has bad sectors but I can access data on it

Thank you so much for your help
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36515264
Since you are not in a domain where certs were issued from an internal CA that rules out the option of using a key recovery agent.

Unfortunately, without that option and the drive being unbootable I know of no way to recover the private key. It is stored on the drive but it is encrypted with a random symmetric key.  There is a great explanation about how private keys are stored here: http://technet.microsoft.com/en-us/library/cc962112.aspx

As you said you could try to recover the windows folder but that probably won't make the drive bootable. If by some chance you can recover the windows folder AND get the drive to boot you should immediately try to export the keys from IE or from the certificate snap-in in MMC. You may only get one chance as the drive may not last. While the drive is still slaved you could try running scandisk. Over the years I've had a couple of drives that I was able to get to boot again after running scandisk but not nearly as many as I tried. It just depends on what kind of damage and why the drive failed.

If all that fails you will have no choice but to obtain new certificates. Since you mentioned they are used for login I will assume that there is no data that was encrypted with them and they were only used for authentication.  If that is the case I would just get new certs as that will probably be the easiest and quickest thing to do.
0
 
LVL 2

Author Comment

by:tarcis
ID: 36515928
Thank you for the explanation, the only reason I want to recover them (yes, they were only used for login) is because here in Brazil they charge you to get a new certificate, and there are like 20 certificates I need back. Just imagine the financial harm.
Maybe I could copy a registry key to a new pc and have IE behave as if it was the old ie from that pc (with the certificates). Any thing is worth a shot here.
Thank you
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36525173
Understood. I'm guessing at this point that you are willing to try extreme measures. I'm afraid it's not quite as simple as just copying files, registry keys etc. The private keys are stored in the file system but they are encrypted with a random symmetric key. Even if you copy them a different installation will not recognize them. I think you only hope of getting your keys is to get the bad drive to boot again.

 If I were in your situation I would proceed as follows:

First, try to get an image of the damaged drive. If it has bad sectors already it could become unreadable. THe more you use it the more likely that is to happen. My recommendation for a utility to image with would be a Unix/Linux utility called ddrescue, not to be confused with earlier or similar utilities such as dd, dd_rescue, ddrhelp. There are a slew of reasons to use this utility but rather than reiterate them here have a look at this link: http://www.toad.com/gnu/sysadmin/index.html   There are several boot CD out there that have the utility available. You will need to download an ISO and burn a CD that will boot to Linux and then use the ddrescue utility to create an image. With the proper tools you can even mount and work directly from that image but we'll cross that bridge later.

Once you have the image I would try to run scandsk. With the goal of getting the drive bootable again. If you can get it to boot. Imeediatly try to export your keys.

I'm curious why the Windows directory is missing. It seems unlikely that scandsk can fix that, unless it was a simple data error in the directory's table entry. If scandsk doesn't get the windows directory back try to recover it. GetDataBack from Runtime software is an good option.

You might also want to check out Scott Moulton's website http://myharddrivedied.com It has a ton of great information, including video presentations, on data recovery and computer forensics. It also has a list of excellent tools.

If all these efforts fail you could send the drive out to a data restoration company but that might be just as expensive as buying all new certs.

Let me know how it goes.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Author Comment

by:tarcis
ID: 36525444
I think the windows folder vanished after a chkdsk /r. Because at first when it didnt boot, I tryed chkdsk and since it found bad sectors, I instantly got a new drive and installed windows on the new one, and slaved the bad one.

I think it will be very hard to make it boot again, but I can work with that. With certificates on the other hand, I know very little about, and it does sound like a mission impossible task since its all encrypted.

I will leave this question open for a few more days in a desperate hope that some expert has another idea, but making the drive boot again should be the only solution here.

Thanks again.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36525919
If you want to at least get a copy of the encrypted keys they are located at the following locations:

XP:
C:\Documents and Settings\<username>\Application Data\Microsoft\Crypto\RSA\S-1-5-xx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx

Vista and Win 7:
C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-xx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx


I have another idea. If you are willing to reinstall a couple of times you could  install windows, then copy the registry files and private keys from the bad drive to the clean install and see if you can access the keys. It’s a longshot I think, but worth a try.  Whether it works or not I would then blow it away and install again. If you have an additional drive you could use you could just remove the drive you just purchased and set it aside while you test.

You could also put the bad drive back as primary and try to do a repair install.  Boot from Windows media and point to the old installation and tell it to repair. See what happens.
0
 
LVL 2

Author Comment

by:tarcis
ID: 36536202
As you suspected copying the files did not work. bummer.
I will try the repair install this weekend.

Thank you again.
0
 
LVL 2

Assisted Solution

by:tarcis
tarcis earned 0 total points
ID: 36718644
I got it!
chkdsk had created a hidden found.000 folder in my hd root, and inside 4 chdirxxxx.chk folders.
Examining the insides of these folder, i figured one was the windows folder, the other was the system32 folder, the other was the drivers folder and the last one the config folder.
So I created a Windows folder on c: and cut&pasted the files from the first chdirxxxx.chk and did the same for all others, and after a few safe modes and file copying I was able to boot to the damaged HD and export the certificates.

Thank you so much for your help
0
 
LVL 2

Author Closing Comment

by:tarcis
ID: 36902260
There is no way to get the certificated back without the old windows
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36892773
Excellent! Glad you got your certificates back. Now you can keep a .pfx backup of all of them.

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
What is a Pedal Motor? 2 51
SBS Disaster recovery 6 32
Some You tube not working in IE11 on Windows 10 and 8.1 5 40
DVI Ports 14 56
Surprisingly, there is a lot to Gym battles, and I thought it would be helpful to share knowledge about all the ins and outs of this feature!
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Articles on a wide range of technology and professional topics are available on Experts Exchange. These resources are written by members, for members, and can be written about any topic you feel passionate about. Learn how to best write an article t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now