Government Security
Network Security Resources

Jump to content

Photo

Decrypt Efs Encrypted Files

- - - - - advanced
  • Please log in to reply
10 replies to this topic

#1 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 05 June 2005 - 01:38 PM

You know how XP Pro lets encrypting files and folders when you press right mouse button on Properties, and the file changes colour into green?
Well, i protected my most important files with that, and then I forgot to decrypt them, before I formated my partition where my OS was installed..
Now I installed new XP Pro on same partition, but the encrypted files are not accecable anymore...
I tryed using "EFS Key 7.1" and "Advanced EFS Data recover", but no luck with any of them..
I will kill myself if I don't manage to get my files back..
Anyone knows how to decrypt these files now???
САМО СЛОГА СРБИНА СПАСАВА

#2 Serhat

Serhat

    Second Lieutenant

  • Members
  • 803 posts

Posted 05 June 2005 - 05:07 PM

Files are encrypted through the use of algorithms that essentially rearrange, scramble, and encode the data. A key pair is randomly generated when you encrypt your first file. This key pair is made up of a private and a public key. The key pair is used to encode and decode the encrypted files.

If the key pair is lost or damaged and you have not designated a recovery agent, and then there is no way to recover the data.


This is what I found.. it's probably still decryptable.. but then you somehow need to 'bruteforce' keypairs? I've done some RSA implementation in JAVA(for school) and as far as I know you really need those keypairs..

Serhat

#3 cvh

cvh

    Sergeant

  • Members
  • 209 posts

Posted 05 June 2005 - 06:53 PM

Read the text http://www.white-sco...comeSystem.html becoming system on white-scoprion.nl, I was beable to read other people encrypted efs directories, which where encrypted with different passwords. Don't know for 100%, but just try it.

quote from the text:

One other reason might that you would like to access the files from another account on your computer which might have access rights set or might be encrypted using the NTFS encryption called EFS (Encrypted files system). This of course should only be done with permission from the owner of those files.



Former security researcher for KAPDA.

http://www.kapda.ir OFFLINE FOREVER
http://www.kapda.net Archived website

Iranian Computer Security Science Researchers Institute.

http://en.wikipedia.org/wiki/KAPDA

Search bugtrack and many other mailing lists for my old advisory's, exploits and 0day's.
Search google with keywords: cvh kapda


#4 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 06 June 2005 - 07:35 AM

Well, I am guessing that these key pairs were in Windows dir??
Since I formated that partition, I may be able to recover data, but I have to know the extension of thes keys, or their file names or something..
САМО СЛОГА СРБИНА СПАСАВА

#5 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,917 posts

Posted 08 June 2005 - 04:45 AM

Recreate the issue on another PC and look for the key names, file extenstions, etc. Not fast, but it will work.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#6 White Scorpion

White Scorpion

    Sergeant First Class

  • Sergeant Major
  • 674 posts

Posted 08 June 2005 - 07:39 AM

Retrieving your files is a piece of cake. You need a program like this one. Since these are your own files you know the password that is used to encrypt them and so your files will be back in a flash..
The program in the link isn't freeware, the trial version only allows you to view the content of the files, but i'm sure there will be other programs which will do the same...
The path of access leads to the server of wisdom..

The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info

#7 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 08 June 2005 - 07:57 AM

But that is a problem.. There never was a password entering area.. Cause I encrypted files just by right clicking on item>>properties>>advanced>>encrypt files.
Never asked me for any pass..
САМО СЛОГА СРБИНА СПАСАВА

#8 White Scorpion

White Scorpion

    Sergeant First Class

  • Sergeant Major
  • 674 posts

Posted 09 June 2005 - 08:42 AM

EFS is encrypted by using YOUR windows logon password, so if you had a password for your account and you use that password then you can retrieve them pretty easily.

This isn't totally correct, but it is the most important thing you need to know to decrypt EFS files. you WILL need the password from the user that encrypted them.
The path of access leads to the server of wisdom..

The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info

#9 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 09 June 2005 - 10:21 AM

Well, on my current system, there is no even a logon window, but earlier, on old system, there was a logon screen which contained only my username(ADMINISTRATOR), and password was ENTER button.. So, there was no pass on old system nor on this new system, but still, I cannot decrypt it with "EFS Key 7.1"... It says, "Maybe you entered wrong pass"
I guess it uses syskey or something..
САМО СЛОГА СРБИНА СПАСАВА

#10 easternerd

easternerd

    Sergeant

  • Members
  • 226 posts

Posted 09 June 2005 - 08:12 PM

Extreme,
Did you back up your Private keys ?
EFS is too strong to break, Something we really cant do. So always backup your private key in a safe place cause you can always use it to recover data after importing in personal certificates, you need to be a EFS recovery agent like an administrator or Domain Administrator in a domain enviroment.

#11 ronron

ronron

    Private

  • Members
  • 1 posts

Posted 20 April 2010 - 06:16 AM

You know how XP Pro lets encrypting files and folders when you press right mouse button on Properties, and the file changes colour into green?
Well, i protected my most important files with that, and then I forgot to decrypt them, before I formated my partition where my OS was installed..
Now I installed new XP Pro on same partition, but the encrypted files are not accecable anymore...
I tryed using "EFS Key 7.1" and "Advanced EFS Data recover", but no luck with any of them..
I will kill myself if I don't manage to get my files back..
Anyone knows how to decrypt these files now???




hi.. i have an encryted-file decryptor here... i bought it for $199... it works though.. It decrypted my files like in your case and got it just like before(I installed new OS and backed it up, forgetting it was encrypted(green-colored).. it doesn't require any passwords or certificates, and easy to use. I can give it to you for 50 bucks - full version. I'm not sure if I would go to this thread again waiting for answer /s. I prefer you to send me an email at bsgod47@gmail.com if you are interested, but I'll try to visit here sometimes.^^ goodluck! ^_^





Also tagged with one or more of these keywords: advanced