Need help unencrypting files after computer exploded

[mikeymasonic]

right so this is a little ridiculous. i had picture files on my computer
that i encrypted, but of course i did not backup the efs file, awesome!
so then one day my mother board caught on fire, yeah i know...
so then i unplugged it and it put the fire out, and i was able to salvage my
hard drives from it. so i bought a new tower and put said hard drives in
(without formatting) and now i'm having a hard time accessing those said
encrypted files. i just wanted to find out from the source if all hope was
lost or if there is some kind of magic way i can un-encrypt or retrieve a efs
file. thanks-

mikey.

 

[Shenan Stanley]

right so this is a little ridiculous. i had picture files on my
computer that i encrypted, but of course i did not backup the efs
file, awesome!
so then one day my mother board caught on fire, yeah i know...
so then i unplugged it and it put the fire out, and i was able to
salvage my hard drives from it. so i bought a new tower and put
said hard drives in (without formatting) and now i'm having a hard
time accessing those said encrypted files. i just wanted to find
out from the source if all hope was lost or if there is some kind
of magic way i can un-encrypt or retrieve a efs file.

Short of some expensive services (pay ahead - no promises of any recovery)
and a few days, weeks, months, years, decades of them attempting to recover
your data - no.

There is nothing out there guaranteed to get your data back to you.

Hopefully - this time - you will backup (the files themselves as well as the
EFS certificate.)

Windows XP Backup Made Easy
http://www.microsoft.com/windowsxp/using/setup/learnmore/bott_03july14.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316

"Why you must back up your certificates
Because there is no way to recover data that has been encrypted with a
corrupted or missing certificate, it is critical that you back up the
certificates and store them in a secure location."

Pages 4-7...
http://www.elcomsoft.com/WP/advanta...d_effective_recovery_of_encrypted_data_en.pdf

"The typical situation in which access to EFS-encrypted data is lost takes
place when the connection between the operating system and the keys
physically located on the disk (cf. situations described in section "How can
one lose access to EFS-encrypted data?") is lost. In this case do not give
up, there is a solution. There is high probability that access to the data
can be restored. But if the keys had been deleted from the disk and no
backup copy of the user profile or the user's certificates had been made,
then the data is indeed unrecoverable."

http://windowsitpro.com/article/articleid/94826/preventing-data-loss-when-using-efs.html

"A final note: Your concern about losing data is well placed. There is no
back door into EFS; if you lose the key(s) to it, you lose your data."

Incidents like the one you have just experienced are really the main reason
behind the constant barrage of 'backup backup backup' mantras you hear from
information technology types. ;-)

 

[John Wunderlich]

=?Utf-8?B?bWlrZXltYXNvbmlj?=

right so this is a little ridiculous. i had picture files on my
computer that i encrypted, but of course i did not backup the efs
file, awesome! so then one day my mother board caught on fire,
yeah i know... so then i unplugged it and it put the fire out, and
i was able to salvage my hard drives from it. so i bought a new
tower and put said hard drives in (without formatting) and now i'm
having a hard time accessing those said encrypted files. i just
wanted to find out from the source if all hope was lost or if
there is some kind of magic way i can un-encrypt or retrieve a efs
file. thanks-

mikey.

I assume you're installing your salvaged drives as slave drives in your
new system...

The only possible chance that you have is if you can find another
machine that has virtually the same motherboard, video card, and
chipsets that your old machine had and you could swap your drive in
that machine and directly boot-up from your salvaged drives.

Even then it may not work as it is not exactly clear where Windows gets
all the bits from to encrypt the certificate.
-- John

 

[Twayne]

=?Utf-8?B?bWlrZXltYXNvbmlj?=


I assume you're installing your salvaged drives as slave drives in
your new system...

The only possible chance that you have is if you can find another
machine that has virtually the same motherboard, video card, and
chipsets that your old machine had and you could swap your drive in
that machine and directly boot-up from your salvaged drives.

Even then it may not work as it is not exactly clear where Windows
gets all the bits from to encrypt the certificate.
-- John

Won't work. Any resintallation of any kind generates new keys for the
encrypted data. Once it's gone, it's gone, even on the exact same
machine, unless you hae the exported keys.

 

[Twayne]

right so this is a little ridiculous. i had picture files on my
computer that i encrypted, but of course i did not backup the efs
file, awesome!
so then one day my mother board caught on fire, yeah i know...
so then i unplugged it and it put the fire out, and i was able to
salvage my hard drives from it. so i bought a new tower and put said
hard drives in (without formatting) and now i'm having a hard time
accessing those said encrypted files. i just wanted to find out from
the source if all hope was lost or if there is some kind of magic way
i can un-encrypt or retrieve a efs file. thanks-

mikey.

Unfortunately, they are gone for good. I hope you have backups if
they're important.

Not sure what you meant by "the source" above, but this group is not
comprised of Microsoft employees or support personnel. It's just
volunteers, like any other group; people helping people. So you are not
talking to microsoft.com or Inc. when you post here.

HTH,

Twayne

 

[John Banes]

The keys that were used to encrypt your EFS-encrypted files are located in
your old user profile. Assuming that you still have these files, and you
still remember your old password, then it's possible to get your data back.

Windows won't recover the encrypted data automatically (AFAIK) but you can
call Microsoft tech support and they can walk you through it. I believe it's
a paid support call, so have your credit card ready.

I've also heard of third-party EFS recovery software (assuming you remember
your password, etc.) but I haven't tried these out.

Regards,
John

 

[John Wunderlich]

Won't work. Any resintallation of any kind generates new keys for
the encrypted data. Once it's gone, it's gone, even on the exact
same machine, unless you hae the exported keys.

True, but as I read it, he didn't do a re-installation. He simply
installed the old drive either as a slave drive in his new computer or
he tried to reboot new computer with his old drives. The first won't
work for the reasons you point out, the latter probably wouldn't work
because the hardware has most likely changed too much and it may not
boot properly.

-- john

 

[Twayne]

The keys that were used to encrypt your EFS-encrypted files are
located in your old user profile. Assuming that you still have these
files, and you still remember your old password, then it's possible
to get your data back.
Windows won't recover the encrypted data automatically (AFAIK) but
you can call Microsoft tech support and they can walk you through it.
I believe it's a paid support call, so have your credit card ready.

I've also heard of third-party EFS recovery software (assuming you
remember your password, etc.) but I haven't tried these out.

Regards,
John

It'd be handy if you were right John, but even with the pre-existing
data, that data will not lead to the new sids that were created.
Something that easy to bypass wouldn't make for very secure protection.
It has to do with much more than just the password when you're
messing with MS's EFS. It's one thing they did right and is nearly
impossible to recover without those keys, which are unrelated to
passwords and usernames.
I'd also be very curious about any EFS recovery programs you've come
across. That would be handy but about have to be simple scams; beware.
Consider me from Missouri<g> but I have never heard of any way to beat
the encryption withouth expensive brute force methods of reconstruction.
IMO you're presenting the OP with false hopes and only making work
for him that is going to be fruitless in the end.

Everything you ever wanted to know about EFS and should have asked:
http://technet.microsoft.com/en-us/library/bb457020.aspx

Here's a possibility if you have archives:
http://support.microsoft.com/default.aspx?scid=kb;en-us;223178&sd=tech

http://www.compulink.co.uk/~davedorn/computing/windows/xpencrypt5.htm

http://search.techrepublic.com.com/search/encrypted+recovery+agent.html

http://support.microsoft.com/default.aspx?scid=kb;en-us;243850&sd=tech

So since the drives are still available, the necessarydata may also be
still available. These links might help to sort it out.

Good luck,

Twayne



Twayne

 

[Twayne]

True, but as I read it, he didn't do a re-installation. He simply
installed the old drive either as a slave drive in his new computer or
he tried to reboot new computer with his old drives. The first won't
work for the reasons you point out, the latter probably wouldn't work
because the hardware has most likely changed too much and it may not
boot properly.

-- john

Just for grins, I did a little looking around and since he still has the
original drives, he might be able to eek something out of them. See my
other response to John B. if you're curious - good links but a lot to
get one's head around without past experience. If he can make it work,
he'll be the first I've ever heard of. I learned the hard way about
keeping the private certs around too<g>.

Twayne

Twayne

 

[John Banes]

What I'm describing isn't an EFS weakness or back door. After all, it's
necessary to have both the encrypted keys/certificates from the old user
profile and the user password in order to make this work. Exactly the same
data that EFS itself uses when encrypting/decrypting data.

I've walked a number of people through this process myself, back when I
worked there.

I know precisely how EFS encryption works--I wrote some of the code myself.


Regards,
John

 

[Twayne]

What I'm describing isn't an EFS weakness or back door. After all,
it's necessary to have both the encrypted keys/certificates from the
old user profile and the user password in order to make this work.
Exactly the same data that EFS itself uses when encrypting/decrypting
data.
I've walked a number of people through this process myself, back when
I worked there.

I know precisely how EFS encryption works--I wrote some of the code
myself.

Great; then you know the problems with recovery and that once new keys
are generated no amount of work will get the old back but a brute force,
sustained effort.