Cannot decrypt my backed up encrypted files

[computer]

Originally posted by: Woodie
I'm very skeptical about recovery and decryption of an EFS encrypted file...could you provide more details on the scenario you went through?

I'm anticipating that you deleted an important file that was encrypted, and it wasn't in the Recycle Bin anymore. I'm guessing that you were still on the same machine, on the same install, and were logged in with the same account that you encrypted the file with.

TIA,

If you are speaking about me that started the thread, please see the original post. "My Documents" was encrypted. Before going to new PC, I of course backed everything up, including My Documents. I was never told by XP that this would not work nor was I told I had to, nor how to save any encryption keys. Therefore, I still have "My Documents" data on my backup storage drive, but it's useless since it's no longer accessible on my new PC and the old OS HD has been reformatted.

 

[computer]

Originally posted by: n0cmonkey

Originally posted by: computer

Originally posted by: vcarpio2

Originally posted by: Woodie
I'm very skeptical about recovery and decryption of an EFS encrypted file...could you provide more details on the scenario you went through?

I'm anticipating that you deleted an important file that was encrypted, and it wasn't in the Recycle Bin anymore. I'm guessing that you were still on the same machine, on the same install, and were logged in with the same account that you encrypted the file with.

TIA,

No, I did not delete an encrypted file. I have a "secure", encrypted folder in My Documents where I kept my passwords file (I use Counterpane) and images of my passport, SS card, etc., on my data disk (which is a second physical HD on my PC). I upgraded my motherboard this weekend and reinstalled XP and completely forgot about my encrypted folder. Thanks to the demo Active File Recover program, I was at least able to recover my passwords file.

So where is this "Active File Recover" program?

http://www.file-recovery.net/download.htm

It was in his previous post

Thanks. Yeah, sorry I missed it. I saw that post in my inbox and went straight to it at this thread!

 

[computer]

Well, I don't know how that Active File Recovery program worked for you, it does nothing for me. It says it's "recovering" the file and I have it sent to a folder, and the SOB is STILL encrypted and I can't open it!! What else do you do besides highlighting the file and "recover"?

 

[n0cmonkey]

Originally posted by: computer

Originally posted by: n0cmonkey

Originally posted by: computer

Originally posted by: vcarpio2

Originally posted by: Woodie
I'm very skeptical about recovery and decryption of an EFS encrypted file...could you provide more details on the scenario you went through?

I'm anticipating that you deleted an important file that was encrypted, and it wasn't in the Recycle Bin anymore. I'm guessing that you were still on the same machine, on the same install, and were logged in with the same account that you encrypted the file with.

TIA,

No, I did not delete an encrypted file. I have a "secure", encrypted folder in My Documents where I kept my passwords file (I use Counterpane) and images of my passport, SS card, etc., on my data disk (which is a second physical HD on my PC). I upgraded my motherboard this weekend and reinstalled XP and completely forgot about my encrypted folder. Thanks to the demo Active File Recover program, I was at least able to recover my passwords file.

So where is this "Active File Recover" program?

http://www.file-recovery.net/download.htm

It was in his previous post

Thanks. Yeah, sorry I missed it. I saw that post in my inbox and went straight to it at this thread!

That's why I tried not to be an ass.

 

[computer]

Could someone answer this please? I'm trying to try a few things, but I'm stopped by some things. For one, just where the hell is the Certificates console or store, how do you add DRA's or a key to the trusted root area, and how do you, quote, "create a certificate using cipher"?

 

[computer]

How 'bout could someone tell me what the key, privacy key, certifcate, etc, whatever this dycrypter key is called, is actually named? I tried searching for .pfx extensions and found nothing. That doesn't make any sense since that's the extension for the certificate key. If I know the name, maybe I can use Active File Recovery to find the certificate on the old HD.

 

[vcarpio2]

Originally posted by: computer

Originally posted by: vcarpio2
I found one that works! I downloaded the trial version and it let me recover files that are 32K or less. It's at:

http://www.file-recovery.net/download.htm

I was able to recover my password file that contained all my passwords. Good luck Computer!

Thanks for the info, I'll try it. Why 32k or less, is that the demo limitation?

Yes, 32K is the demo limitation. In my case, I do not have a Windows password so I did not have to enter any password. I just right-clicked the file and clicked "Copy".

Full version is also $50. Not cheap but cheaper than the others which start at $100.

 

[computer]

It "copied" it for me, but it was still encrypted!

 

[Woodie]

computer...I wasn't asking you, as I actually read your OP , it was aimed at vcarpio2.

Certificates console:
Start -> run -> mmc -> Ctrl-M -> alt-D -> Certificates -> Add -> (My User Account) - > Finish, Close, OK.

To add a certificate from file, browse to the Personal - Certificates folder, right click, and IMPORT certificate.

To add a trusted root certificate from file, browse to the Trusted Root Certification Authorities - Certificates, right click, and IMPORT certificate.

Cipher: Open a command prompt, then type in CIPHER /?
It'll explain the exact syntax to generate a new EFS key for the currently logged on user.

The Recovery Key (aka, master key, recovery agent, back door, etc...) is NOT stored in a file: It's stored in the PROFILE & Registry of the Recovery Agent ID. By default, it's the local Administrator account. AFAIK, the only way to get to the certificate is to: Log in as that user, start the Certificate MMC (see instruction above), and then you can export, delete, etc.. on that certificate.

On the OLD hard drive...best bet is to recover the entire profile associated w/the local Administrator. Then, you MAY be able to login and LOAD that profile. (I'm very skeptical of this working, but it might).

BTW, you're right, there is a back door: It's the Local (or Domain) Administrator ON THAT INSTALL OF THE OS! It's a weakness of EFS, but it can also bite you. DAMHIK.

Originally posted by: vcarpio2
No, I did not delete an encrypted file. I have a "secure", encrypted folder in My Documents where I kept my passwords file (I use Counterpane) and images of my passport, SS card, etc., on my data disk (which is a second physical HD on my PC). I upgraded my motherboard this weekend and reinstalled XP and completely forgot about my encrypted folder. Thanks to the demo Active File Recover program, I was at least able to recover my passwords file.

I'm feeling a bit slow here...
- You had a password file (password.dat or the like for PasswordSafe) in your My Documents directory.
- It was encrypted by the application, but NOT by the EFS checkbox.
- After a reinstall of XP, this utility was able to recover this file for you.

Did I get that right?

 

[vcarpio2]

I'm feeling a bit slow here...
- You had a password file (password.dat or the like for PasswordSafe) in your My Documents directory.
- It was encrypted by the application, but NOT by the EFS checkbox.
- After a reinstall of XP, this utility was able to recover this file for you.

Did I get that right?

Sorry my explanation was confusing.

I kept all my passwords (web sites, etc.) using the Counterpane Password Safe utility. I keep the password.dat file in a directory/folder in my HD.

In the same folder, I kept scanned images of my wallet's contents.

I then encrypted it by right-clicking on the folder in Explorer, clicking the General tab, then checking the "Encrypt contents to secure data".

Hope this helps. My apologies to Computer if the way I encrypted my folder is different from the way he did.

 

[Woodie]

vcarpio2...TY...clearer now, I'm following you a bit.

Since you triggered the EFS after you created the files, did you apply it to all the contents? or just NEW files? (I'm trying to figure out how you were able to recover EFS encrypted files after a new OS install. Nobody else has *ever* been able to to that w/o having a backup of the EFS certificate).

Hmmm. I'm still puzzled. I believe the part about recovering the file after a format, that's what I would expect for this type of utility. What I don't understand is how you/it got past the EFS encryption. Would you mind checking my facts below? I'm keenly interested in figuring out how to recover (EFS) encrypted data.

Let's just deal with the password file
Beginning State:
XP install,
Logged on as default user (no password)
password file on OS partition ...\My Documents\encryptme\password.file
After creating file, you turned on Encryption on ...\My Documents\encryptme, and selected "Apply to contents". (PS encrypts the database within the file, using an application layer encryption and password scheme)

You reformatted your OS partition, and installed XP again.
Logged on as default user (no passwords)
Used utility to recover password.file to a new folder on OS partition. ...\NewFolder\password.file with NO Password/decryption prompts?

End stage:
New XP install
Logged on as default user (no passwords)
..\NewFolder\password.file was accessible as soon as it was "recovered", and no WINDOWS password prompt was needed when you opened the file w/ PS. (Yes, PS prompted you for the database password)

 

[vcarpio2]

Originally posted by: Woodie
Since you triggered the EFS after you created the files, did you apply it to all the contents? or just NEW files? (I'm trying to figure out how you were able to recover EFS encrypted files after a new OS install. Nobody else has *ever* been able to to that w/o having a backup of the EFS certificate).

Something I can't remember is whether I selected "Apply changes to this folder, subfolders and files" which is the default, or, for some wacky reason, I decided to select "Apply changes to this folder only". But since the first one is the default, I'd assume that's what I did.

In either case, wouldn't the files inside the folder be encrypted?

Let's just deal with the password file
Beginning State:
XP install,
Logged on as default user (no password)
password file on OS partition ...\My Documents\encryptme\password.file
After creating file, you turned on Encryption on ...\My Documents\encryptme, and selected "Apply to contents". (PS encrypts the database within the file, using an application layer encryption and password scheme)

You reformatted your OS partition, and installed XP again.
Logged on as default user (no passwords)
Used utility to recover password.file to a new folder on OS partition. ...\NewFolder\password.file with NO Password/decryption prompts?

Every detail you mention above is correct -- default user, create file, encryption on, reformat OS partition, default user, recover password.file to a new folder -- you got it right.

The Active File Recovery demo allowed me to recover my password file because it was only 5K. It won't let me recover my scanned JPEGs because the demo version has a limitation of 32K files or less only.

End stage:
New XP install
Logged on as default user (no passwords)
..\NewFolder\password.file was accessible as soon as it was "recovered", and no WINDOWS password prompt was needed when you opened the file w/ PS. (Yes, PS prompted you for the database password)

Yes. As soon as I recovered my password file into the new folder, I launched Counterpane's Password Safe program and opened the recovered password file -- all my passwords are in there, over 50 of them.

 

[vcarpio2]

Woodie, I think I might know what have gone on in my case, although there is still a problem as I'll explain later.

I upgraded to XP Pro from XP Home earlier this year. I think I had my "secure" folder encrypted back when I was still using XP Home. I remember I had the same problem of not being able to access my secure folder when I upgraded to XP Pro earlier this year. But at that time, my XP Pro upgrade also included a brand-new HD so I still had my old, bootable HD with XP Home and the encrypted folder. So I switched master/slave jumpers to reboot from my old XP Home HD and copied the secure folder to my new XP Pro HD. I then restored the master/slave jumpers and used XP Pro from then on.

If my recollection above is right, then, encrypting folders in XP Home does not really encrypt files, it only makes folders unreadable to other users.

The only problem with the above scenario is, after copying my secure folder from my XP Home HD to my XP Pro HD, I again encrypted the new folder under XP Pro. That is why I had the problem this weekend when I upgraded my motherboard and reinstalled XP Pro a second time this year. So, somehow, Active File Recovery was able to recover from both encrypted folders -- the one I encrypted under XP Home and the new one I encrypted under XP Pro.

Sorry if I confused you all the more. Let me know if you want me to re-post with some kind of chronological order.

 

[computer]

Yes, 32K is the demo limitation. In my case, I do not have a Windows password so I did not have to enter any password. I just right-clicked the file and clicked "Copy".

So how are you getting around the encryption problem? If the file is still encrypted, how are you opening it? I never used a password either. I click "preview" and it says something like; the preview will only be the raw encryption data, and to "copy" to decrypt it! So, I "copy" it and it's still encrypted and I still can't open the file! Contrary to their description, this program appears to be only a way to recover files one deleted. Which, MIGHT work for me if I could find the formatted over cert or key on my old HD, but I don't know what to search for. .pfx didn't work.

 

[stash]

If my recollection above is right, then, encrypting folders in XP Home does not really encrypt files

XP Home does not have EFS and therefore has no built in encryption. Period.

 

[computer]

Originally posted by: Woodie
Certificates console:
Start -> run -> mmc -> Ctrl-M -> alt-D -> Certificates -> Add -> (My User Account) - > Finish, Close, OK.

To add a certificate from file, browse to the Personal - Certificates folder, right click, and IMPORT certificate.

To add a trusted root certificate from file, browse to the Trusted Root Certification Authorities - Certificates, right click, and IMPORT certificate.

Cipher: Open a command prompt, then type in CIPHER /?
It'll explain the exact syntax to generate a new EFS key for the currently logged on user.

The Recovery Key (aka, master key, recovery agent, back door, etc...) is NOT stored in a file: It's stored in the PROFILE & Registry of the Recovery Agent ID. By default, it's the local Administrator account. AFAIK, the only way to get to the certificate is to: Log in as that user, start the Certificate MMC (see instruction above), and then you can export, delete, etc.. on that certificate.

On the OLD hard drive...best bet is to recover the entire profile associated w/the local Administrator. Then, you MAY be able to login and LOAD that profile. (I'm very skeptical of this working, but it might).

Thanks Woodie.

 

[vcarpio2]

Originally posted by: computer

Yes, 32K is the demo limitation. In my case, I do not have a Windows password so I did not have to enter any password. I just right-clicked the file and clicked "Copy".

So how are you getting around the encryption problem? If the file is still encrypted, how are you opening it? I never used a password either. I click "preview" and it says something like; the preview will only be the raw encryption data, and to "copy" to decrypt it! So, I "copy" it and it's still encrypted and I still can't open the file! Contrary to their description, this program appears to be only a way to recover files one deleted. Which, MIGHT work for me if I could find the formatted over cert or key on my old HD, but I don't know what to search for. .pfx didn't work.

I was hoping Woodie would jog my memory some more by presenting some more scenarios. I did not take notes when I did the upgrades so I'm relying on memory.

I still have both "secure" folders -- the old one that I had when I was still using XP Home, and the second one when I upgraded to XP Pro the first time earlier this year. They're both in my second HD. (My new, third folder with the recovered files, I decided not to encrypt for now.) For kicks I tried to recover files from both using Active File Recovery and are able to view them -- they are not encrypted.

As for using Active File Recovery, that's all I do, right-click on the file then copy to a new location. I am not prompted for any password or anything.

 

[vcarpio2]

Originally posted by: STaSh

If my recollection above is right, then, encrypting folders in XP Home does not really encrypt files

XP Home does not have EFS and therefore has no built in encryption. Period.

You're right. I think it's more like making a folder private instead of encrypting a folder. When I use Explorer and click on my 2 "secure" folders, I get the same error message, "Access is denied".

That's it for me for tonight. Bedtime. I have to go to work tomorrow.

 

[RussianSoldier]

Here's what windows help says about recovering ntfs encrypted files:

To recover an encrypted file or folder when your file encryption certificate is not available

If you have lost your file encryption certificate you cannot access your encrypted files. However, your recovery agent can decrypt the files. Use Backup in Windows 2000 or any backup program designed for Windows 2000 to make a backup version of the encrypted files or folder. Backup programs designed for Windows 2000 retain the encryption of the backed-up files.
Send the backup version of the encrypted file or folder as an e-mail attachment to a recovery agent. The recovery agent has a special certificate for decrypting the file or folder for you. The recovery agent will back up the decrypted file or folder and then return the backup version to you.
Notes

If you first back up encrypted files and folders using Backup or any other backup tool, you can then copy or move the backed-up version of the files and folders to a volume that is not an NTFS file system volume. The backup version of the encrypted file or folder retains its encryption as long as it is in backed-up form. You can copy the backup version to tapes or to other file systems such as FAT, or you can send it as an e-mail attachment. When you want to access your encrypted files again, restore the backup version to an NTFS volume to preserve the encryption.
You can recover an encrypted file or folder yourself if you have kept a backup copy of your file encryption certificate and private key in a .pfx file format on a floppy disk. Use the Import command from Certificates in Microsoft Management Console (MMC) to import the .pfx file from the floppy disk into the Personal store.
The administrator of the local computer is the default recovery agent unless you are in a domain environment. In a domain environment, the domain administrator is the default recovery agent.
For more information on using Certificates in MMC, see Related Topics.

 

[computer]

Originally posted by: RussianSoldier
Here's what windows help says about recovering ntfs encrypted files:

To recover an encrypted file or folder when your file encryption certificate is not available

If you have lost your file encryption certificate you cannot access your encrypted files. However, your recovery agent can decrypt the files. Use Backup in Windows 2000 or any backup program designed for Windows 2000 to make a backup version of the encrypted files or folder. Backup programs designed for Windows 2000 retain the encryption of the backed-up files.
Send the backup version of the encrypted file or folder as an e-mail attachment to a recovery agent. The recovery agent has a special certificate for decrypting the file or folder for you. The recovery agent will back up the decrypted file or folder and then return the backup version to you.
Notes

If you first back up encrypted files and folders using Backup or any other backup tool, you can then copy or move the backed-up version of the files and folders to a volume that is not an NTFS file system volume. The backup version of the encrypted file or folder retains its encryption as long as it is in backed-up form. You can copy the backup version to tapes or to other file systems such as FAT, or you can send it as an e-mail attachment. When you want to access your encrypted files again, restore the backup version to an NTFS volume to preserve the encryption.
You can recover an encrypted file or folder yourself if you have kept a backup copy of your file encryption certificate and private key in a .pfx file format on a floppy disk. Use the Import command from Certificates in Microsoft Management Console (MMC) to import the .pfx file from the floppy disk into the Personal store.
The administrator of the local computer is the default recovery agent unless you are in a domain environment. In a domain environment, the domain administrator is the default recovery agent.
For more information on using Certificates in MMC, see Related Topics.

Thanks, but I saw that, and didn't know what they meant by "Recovery Agent". I was looking for damn software called that! Then I realized it's just a person, of whom that would be ME in my case, and of which I have no such certificate.

 

[computer]

As for using Active File Recovery, that's all I do, right-click on the file then copy to a new location. I am not prompted for any password or anything.

Neither am I, but are you doing this with ENCRYPTED files from ANOTHER PC and you're still able to open them?

 

[Fiveohhh]

Originally posted by: computer

Its been said many times you need the key, but you keep insisting theres a backdoor. That being said I'd get the old HD and use something like the r studio on it and hope you can get it back or if its very important, send it off to a professional data recovery service

There is a backdoor, EVERYTHING has a back door, or more accurately a way to circumvent it.

Not everything has a backdoor. Why do you insist this when you know very little about encryption? I'm not trying to sound harsh, but your not taking no for an answer. Theres a sticky on the top of the forums saying its impossible, other members have told you its impossible, and Microsoft says its impossible. Unless you have the private key or a way to brute force it, it's not gonna happen. I don't know much about encryption, but I don't see what good it would do if it had a backdoor.

 

[Fiveohhh]

Jrun

 

[vcarpio2]

Originally posted by: computer

As for using Active File Recovery, that's all I do, right-click on the file then copy to a new location. I am not prompted for any password or anything.

Neither am I, but are you doing this with ENCRYPTED files from ANOTHER PC and you're still able to open them?

It's from the same PC -- but with a new motherboard and processor so for most intents and purposes, it's a brand-new PC.

 

[Woodie]

vcarpio2
I think we're getting somewhere, thanks for the many posts w/ detailed information.

In Windows Explorer, do your encrypted files display in green text?
When you said you "encrypted the folder"...can you recall exactly how you did that? (steps/cipher comand?)
Could you look into your Certificates Store (see instructions earlier in the thread) and tell us if you have an Personal Certificates? If so, how many, and do they have "Encrypting File System" listed in the "Intended Purpose" field?

Against my better judgement, I'm beginning to wonder if you've found a way around the EFS protection.