Solved

EFS - Can't decrypt a file even though I have certificate with matching thumbprint

Posted on 2016-10-20
4
22 Views
Last Modified: 2016-11-08
We have a Server 2012R2 box hosting a single network share. Somehow, some files that got saved to this share got encrypted using what I can only describe as a "self-signed" EFS certificate. The cert was not issued by our CA, and does not have our usual recovery certificates attached. The matching certificate can be found in the user's personal cert store on the server. However, all attempts to decrypt the files have failed. See this screenshot:
screenshot1
Any ideas out there?
0
Comment
Question by:SWCBTechServices
  • 3
4 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41852317
I am suspecting at large either the (a) private key is missing or the (b) profile is corrupted.
- attempt to export the private key for that user self signed cert has the export option grayed out, then likely the private key is missing.
- identified self sign cert for that matching fingerprint should also have a corresponding copy as the certificate thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

The private key is stored within the certificate itself, but it is also protected by a password. If we cannot it out or use from past backup, it is not going to be decrypted. I am suspecting even administrator cannot access this folder, unless we have the self-signed EFS certificate of the original user e.g. export the certificate with private key of the user and import to the user whom you want to give them ability to access.

There is Elcomsoft software that attempt to scan for the available encryption keys, and decrypts the protected files. http://www.crackpassword.com/aefsdr.html
0
 

Author Comment

by:SWCBTechServices
ID: 41852345
We are logged on to the computer as the original user who encrypted the file. When I view the cert from the users personal cert store, it displays "You have a private key that corresponds to this certificate" (see attached picture).

We cannot export the cert with private, the option is grayed out, however it could be that private key export was disabled when the cert was created.

Yes, there is a corresponding copy of the cert/thumbprint in <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

Any suggestions? thanks,2016-10-20_9-44-45.jpg
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41852394
May can try the tool to scan if this key is available and if can be decrypted - See the "Decrypting files"
Note: an unregistered (trial) version of AEFSDR decrypts only first 512 bytes of all files, padding the rest of content with zeros (look at Registration to learn how to get the fully functional version). But even in full version, please verify that all files have been decrypted successfully, before deleting the original (encrypted) files.
https://www.elcomsoft.com/help/en/aefsdr/index.html

There is another article - see "recovery with the orginal profile in the file system"
http://www.beginningtoseethelight.org/efsrecovery/index.htm
0
 
LVL 63

Expert Comment

by:btan
ID: 41878461
As suggested for key recovery.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Thoughts on PC Doctor 11 62
Disk Quota Windows 2012 R2 6 96
Disk Cleanup and Temporary Files 15 54
Linux MD5 Hash 7 35
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question