Solved

EFS - Can't decrypt a file even though I have certificate with matching thumbprint

Posted on 2016-10-20
4
36 Views
Last Modified: 2016-11-08
We have a Server 2012R2 box hosting a single network share. Somehow, some files that got saved to this share got encrypted using what I can only describe as a "self-signed" EFS certificate. The cert was not issued by our CA, and does not have our usual recovery certificates attached. The matching certificate can be found in the user's personal cert store on the server. However, all attempts to decrypt the files have failed. See this screenshot:
screenshot1
Any ideas out there?
0
Comment
Question by:SWCBTechServices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41852317
I am suspecting at large either the (a) private key is missing or the (b) profile is corrupted.
- attempt to export the private key for that user self signed cert has the export option grayed out, then likely the private key is missing.
- identified self sign cert for that matching fingerprint should also have a corresponding copy as the certificate thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

The private key is stored within the certificate itself, but it is also protected by a password. If we cannot it out or use from past backup, it is not going to be decrypted. I am suspecting even administrator cannot access this folder, unless we have the self-signed EFS certificate of the original user e.g. export the certificate with private key of the user and import to the user whom you want to give them ability to access.

There is Elcomsoft software that attempt to scan for the available encryption keys, and decrypts the protected files. http://www.crackpassword.com/aefsdr.html
0
 

Author Comment

by:SWCBTechServices
ID: 41852345
We are logged on to the computer as the original user who encrypted the file. When I view the cert from the users personal cert store, it displays "You have a private key that corresponds to this certificate" (see attached picture).

We cannot export the cert with private, the option is grayed out, however it could be that private key export was disabled when the cert was created.

Yes, there is a corresponding copy of the cert/thumbprint in <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

Any suggestions? thanks,2016-10-20_9-44-45.jpg
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41852394
May can try the tool to scan if this key is available and if can be decrypted - See the "Decrypting files"
Note: an unregistered (trial) version of AEFSDR decrypts only first 512 bytes of all files, padding the rest of content with zeros (look at Registration to learn how to get the fully functional version). But even in full version, please verify that all files have been decrypted successfully, before deleting the original (encrypted) files.
https://www.elcomsoft.com/help/en/aefsdr/index.html

There is another article - see "recovery with the orginal profile in the file system"
http://www.beginningtoseethelight.org/efsrecovery/index.htm
0
 
LVL 63

Expert Comment

by:btan
ID: 41878461
As suggested for key recovery.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question