What has this disk been encrypted with?

An Win 7 Pro laptop which I think was encrypted had it's disk fail with multiple bad sectors.

So, I image the disk which seems okay.

But when I  attach it to another PC and I can see all the files but when i go to open them (Word + Excel + PDF) - they are all
garbled.

The user has sent me a ,PFX file. So I copied this over to another Win 7 System.  When I click on this it says

"Type the password for the private key..."

Anybody know what sort of encryption was being used here?
LVL 3
furunoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
sounds like EFS.
Not the entire disk is encrypted just user documents.
0
furunoAuthor Commented:
thanks Arnold, what is the next step you would take?
0
arnoldCommented:
Depending what you used to image the disk, put it back into the system from which it came and let the system bootup.

Import the Pfx file and as long as your system is windows 7 as well, you should be able to access the files.  The certificate in the Pfx is the private/private. One thing is that it needs to be the efs certificate pair used to encrypt the files.
Pick a fire and look at the properties\advanced, encrypted details.  There you will see the certificate reference ID which you can then compare it to the ID on the certificate you import.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

furunoAuthor Commented:
This disk image of Win 7 is non-bootable
0
arnoldCommented:
What did you use to image it? Did you just image a partition or the entire disk?
Using a window 7 bootdvd with bootrec and bcdedit you can rebuild the boot.
Possible issue is that the partition is not mark active/bootable
Diskpart (create another image if the disk Justin case)
Does the old disk still boots the system?
Depending on the drives in the system or the replacement, some vendors provide tools that would help clone the boot disk to a replacement.
Easeyus has a tool that while the system is running will clone the disk yo a replacement.

The windows 7 backup image is an option as well.
0
furunoAuthor Commented:
I used R-Drive Image from RTT.

I tried the bootrec.exe - it said "operation completed successfully" but its still not booting.

>>>Possible issue is that the partition is not mark active/bootable

I have just used Partition Wizard to look the Partitions. It has discovered three partitions:

Basic MBR
System Reserved
NTFS

which one of these should be set to "active"?
0
arnoldCommented:
System reserved partition should be active.
0
McKnifeCommented:
The file names of EFS encrypted files would appear in a green font. Are those green? I don't think so, because even if EFS was used, the contents wouldn't be "garbled" but you would simply see an "access denied".
Ask the user what he did. We have no evidence of encryption, yet.
0
arnoldCommented:
Saw that the person provided you a Pfx and skipped the garbled text. As mcknife pointed.

Did you import the cert?  Look at the program files\ or program files (x86)\ for installed programs that have encryption capabilities.
0
arnoldCommented:
What laptop is it, does the original drive when boots prompts for credentials prior to windows boot?  I.e. It has a whole disk encryption.   Look at some if the .inf files to see whether their text is also garbled, if so would point to a disk encryption.

What is make/model of the drive in the system as well as laptop info.
0
furunoAuthor Commented:
Finally got the computer to a bootable state following instructions of poster "Vijay B"

http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_install/total-identified-windows-installations-0/52359f87-de4a-41dc-b0c3-cc275e1d9fbf

All folders / files are missing. But, as I've said I got them on another disk image but they are garbled.

The PFX certificate will not install on recovery system - asking for "password for the private key "

Its an Asus laptop - WDE is not on it. I will keep this thread updated.
0
furunoAuthor Commented:
ok, I got the PFX certificate to successfully install on another computer here but the documents are still
all garbled.

In the Program Files listing - I cannot see any real encryption application.

>>>EFS was used, the contents wouldn't be "garbled" but you would simply see an "access denied".
This statement worries me!

Could it be that just the MBR has gone corrupt and this is symptom of it?

All files appear corrupt - Word, Excel and PDF's.
0
arnoldCommented:
No. The MBR will be an issue to boot the system
What is the certificate does it say it is an EFS certificate?

Does the old drive still booting the system?
Bootrec/bcdedit are the tools to run to reinitialize the bootup

The encryption might be from the built in laptop options.
0
furunoAuthor Commented:
Re: certificate it is named;
 
username.pfx

When you click on properties - under type of file it says:
Personal Information Exchange

i have looked at the old drive via a desktop PC - all needed files not showing.

I am now attempting to run bootrec and bcdedit on drive
0
McKnifeCommented:
Don't. The mbr is not involved.
0
furunoAuthor Commented:
The user confirmed today it was encrypted with the native Win 7 Pro encryption (EFS , NOT Bitlocker)

This is weird one.

I imaged this disk again using different software.

However, the result seems to be the same.

Normally when dealing with corrupt hdds - some of the files will be corrupt but in this particular
case WORD, EXCEL, POWERPOINT, .Jpegs are all showing with proper files names etc but when you open them they are garbled...doing my head in...

Any suggestions from anyone would be gratefully appreciated.
0
arnoldCommented:
After reimagine are you using the new device to boot the system?
When the system natively boots do you have access to the files as intended?
0
arnoldCommented:
Which software? Used to image/cline?
Does the system still boots and are the files accessible?
0
McKnifeCommented:
For more insight, please use efs and try to reproduce this. You should only get access denied. Still think the files are just corrupted, not efs'ed.
0
furunoAuthor Commented:
These files have been finally recovered.

McKnife - you were right - EFS encrypted files should appear green. Most of them were not in green so I guess the users only encrypted one or two folders.

The solution
What I did was to image the drive again. This time I made sure that Chkdsk was not allowed run on the imaged disk.

Then I ran R-Studio NTFS on image and after a very quick scan. The files were recovered and opened up perfectly.
(The original folder names were lost, but all files names were retained)

Conclusion: Checkdisk was corrupting the disk image each time. Then when the data recovery software was being run - it was just mining corrupt files. Lesson: Checkdisk can sometimes do more harm than good.

Thanks to Arnold and McKnife for your valuable insights.
0
furunoAuthor Commented:
Thanks again for the advice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.