Encyrpted NTFS files. How can you recover them?

[AgentJean]

I've had one of my partitions take a dump, the file table got corrupted or something. Needless to day windows "sees" the partition but thinks it's a Raw partition and needs formating.

I have used a program called FindNTFS to recover most of my data the problem is I have quite a bit of data that was set with NTFS encryption and FindNTFS and GetDataBack "sees" the files but won't do anything with them. What can I do to recover these files?

 

[stash]

Did you backup your encryption key?

 

[pcgeek11]

You can wish them ado and goodbye... Use your back-up. You do have a back-up don't you?

File encryption bites another one.

pcgeek11

 

[AgentJean]

Originally posted by: stash
Did you backup your encryption key?

Umm no. (How do I back it up)

FYI, my windows install never crashed, just the storage partition. If that makes any difference.

 

[stash]

Oh then you're fine. The keys are stored in your profile on the Windows partition.

You can back them up with the cipher command.

 

[AgentJean]

Originally posted by: stash
Oh then you're fine. The keys are stored in your profile on the Windows partition.

You can back them up with the cipher command.

How? Windows does not reconguize the partition and my recovery programs skip the encyrpted files while copying everything else.

 

[stash]

Did you try running chkdsk on the partition?

 

[AgentJean]

Originally posted by: stash
Did you try running chkdsk on the partition?

As far as windows and partition magic are concerend the "E" drive is unformated but FindNTFS is able to read this drive without any problems.

Because of this I do not think CHKdisk is going to work and even it if runs it may screwup any chances I have at recovering these EFS files.

I found programs that suppositly can recover EFS files and by pass the encryption, the problem with these programs are they can not read the drive because of the corrupted file table.

I can always restore the backups, no big deal there, but this is a good learning opertunity for file recovery with NTFS encrytion incase I run into a situation where there are no backups. I'll then have the knowledge to be a god among men. and might make some uber bucks.

 

[RebateMonger]

Since you want to be a "god among men" re: EFS, I recommend you read the Microsoft XP Professional Resource Kit: Using EFS. That'll explain the precautions to take before using EFS, and how to recover EFS-protected files.

 

[bsobel]

Originally posted by: AgentJean

Originally posted by: stash
Oh then you're fine. The keys are stored in your profile on the Windows partition.

You can back them up with the cipher command.

How? Windows does not reconguize the partition and my recovery programs skip the encyrpted files while copying everything else.

The data is there and you have the keys. Sounds like the problem is you have a crippled recovery program, I'd suggest finding another..

 

[AgentJean]

Originally posted by: bsobel

Originally posted by: AgentJean

Originally posted by: stash
Oh then you're fine. The keys are stored in your profile on the Windows partition.

You can back them up with the cipher command.

How? Windows does not reconguize the partition and my recovery programs skip the encyrpted files while copying everything else.

The data is there and you have the keys. Sounds like the problem is you have a crippled recovery program, I'd suggest finding another..

Any recomendations? I need something that can read a lost partition, not just recover deleted files.

I tried PC Inspector but that program doesn't do crap. So far the only thing I found usefull is FindNTFS(which is free) the paid programs do nothing in the demo version and I'm not going to spend one penny on a program that may not be able to restore EFS files.

 

[AgentJean]

You know, I'm wondering if I do a quick format of the E drive if that would allow Pandora recovery do it's thing.

This would allow windows to read that partition as the file table w ould be reconstructed.

 

[bsobel]

Originally posted by: AgentJean
You know, I'm wondering if I do a quick format of the E drive if that would allow Pandora recovery do it's thing.

This would allow windows to read that partition as the file table w ould be reconstructed.

If you decide to go that way, or try chkdsk, image off the raw partition first so you can always restore the image and try again...

 

[p924]

Originally posted by: AgentJean
You know, I'm wondering if I do a quick format of the E drive if that would allow Pandora recovery do it's thing.

This would allow windows to read that partition as the file table w ould be reconstructed.

I have had luck recovering files from a hard drive after a format with pandora recovery. Just make sure you do a surface scan with pandora recovery or you won't find the deleted files.

 

[Nothinman]

Since you want to be a "god among men" re: EFS, I recommend you read the Microsoft XP Professional Resource Kit: Using EFS. That'll explain the precautions to take before using EFS, and how to recover EFS-protected files.

Normally I'd agree but his problem has nothing to do with EFS but with Windows being unwilling to mount or chkdsk the drive even though the filesystem is apparently at least partially fine.

If you decide to go that way, or try chkdsk, image off the raw partition first so you can always restore the image and try again...

No matter what option you take you should do this first. In situations like this you only really get one chance at "easy" recovery but if you backup the whole device you can try as many different tools as you can find.

Personally I would use a Linux LiveCD to backup the drive with dd (or dd_rescue if the drive has bad blocks) since I know that dd won't try to do anything fancy behind my back. Sadly there's no fsck/chksk tool for NTFS in Linux so you'll have to find something else for that.