Decrypt EFS encryption

[Guest]

Hello,
1) I had Encrypted some data on my laptop
2) Got my laptop re-imaged due to some issues and hence before that I had copied the data to an external hard drive..unfortunately I did not remembered that the data was Encrypted and I should also backup its keys …which I did not..
3) Laptop was re-imaged and when I tried copying back the data from the external drive to the Laptop..it says Access Denied..on Some debugging I found that the thumbprint of the Certificate by which the data was Encrypted is different from the Current thumbprint after re-imaging.
4) I had backup of all my C:\ (All Document and settings, WINDOWS folder etc…)

I just want to know is there a way why which I can recover my data as I am stuck with my work…

Any help or guidance will be really appreciated…

 

[tigsounds]

Try this....

http://technet.microsoft.com/en-us/library/cc722147%28WS.10%29.aspx

Or this....

http://support.microsoft.com/kb/887414

 

[hang-the-9]

Try this....

http://technet.microsoft.com/en-us/library/cc722147%28WS.10%29.aspx

Or this....

http://support.microsoft.com/kb/887414

The problem is that all of that info is only good BEFORE you delte and re-image all the files needed

kapilkrb, you may need to get a file recovery software and try to find the files needed for the above 2 methods to work.

 

[tigsounds]

I was hoping that since he has a complete backup of his old Documents and settings, that he could recover the keys, perhaps not.

There are methods of recovering all those EFS files, but we are not allowed to state them here.
If he is good at using Google, maybe he'll find a few things on his own.

 

[hang-the-9]

I was hoping that since he has a complete backup of his old Documents and settings, that he could recover the keys, perhaps not.

There are methods of recovering all those EFS files, but we are not allowed to state them here.
If he is good at using Google, maybe he'll find a few things on his own.

Hm.. he did say he backed up his folders and the Windows folder, missed that somehow. Skimmed the post a bit it seems. Those recovery things may work if he can get to the proper files.

 

[Guest]

Hm.. he did say he backed up his folders and the Windows folder, missed that somehow. Skimmed the post a bit it seems. Those recovery things may work if he can get to the proper files.

Thanks for your reply...
You can mail me the way to recover the keys/certificate from the files (Document and Settings and windows folder) on my personal id in case you can't post it here...

please help me as it has all of my data of last 2years and I cant move a inch n my work without them...

Thanks

 

[Guest]

I was hoping that since he has a complete backup of his old Documents and settings, that he could recover the keys, perhaps not.

There are methods of recovering all those EFS files, but we are not allowed to state them here.
If he is good at using Google, maybe he'll find a few things on his own.

Hi TigSounds...

I had gone through around 200 google pages and also installed some file recover softwares like Advance EFS Data recovery but it is of no help to me...

Somewhere on one of the blog I had read that

"About the best you can do in your situation is to try an find the deleted
certificates\private keys with a file recovery program and try to recover
them to the proper folder. The private keys are in the user profile under
documents and settings\username\application data\Microsoft\crypto\RSA
folder. If you have a backup of your user profile for that computer/specific
operating system install from a time when those certificates/private keys
existed you could also try recovering them from that backup and copy to your
user profile.
"
I had a backup of the RSA folder as well...

Does that help somehow...

 

[tigsounds]

I've been up about 30 hours now, I can't really think all that great, but quickly before I get to sleep,

You can try to trick the computer a bit. If you can copy the .CER file from the backup into a location on your current hard drive, maybe you can import it as a recovery agent. From the MS link given before:

1. Log on to the computer as the administrator.
2. Click Start, click Run, type gpedit.msc, and then click OK.
3. In the Group Policy Object Editor, expand the following nodes:
Local Computer Policy
Computer Configuration
Windows Setting
Security Settings
Public Key Policies
4. Right-click Encrypting File System, and then click Add Data Recovery Agent.
5. Click Next, and then click Browse Folders. (Browse for where you just copied from other drive)
6. Select the *.CER file that you created earlier, and then click Open.

Note By default, the certificate is created in the %userprofile% folder.
7. Click Next, and then click Finish.

Need re-boot to work, or substantial delay.

 

[kapilkrb]

I've been up about 30 hours now, I can't really think all that great, but quickly before I get to sleep,

You can try to trick the computer a bit. If you can copy the .CER file from the backup into a location on your current hard drive, maybe you can import it as a recovery agent. From the MS link given before:

1. Log on to the computer as the administrator.
2. Click Start, click Run, type gpedit.msc, and then click OK.
3. In the Group Policy Object Editor, expand the following nodes:
Local Computer Policy
Computer Configuration
Windows Setting
Security Settings
Public Key Policies
4. Right-click Encrypting File System, and then click Add Data Recovery Agent.
5. Click Next, and then click Browse Folders. (Browse for where you just copied from other drive)
6. Select the *.CER file that you created earlier, and then click Open.

Note By default, the certificate is created in the %userprofile% folder.
7. Click Next, and then click Finish.

Need re-boot to work, or substantial delay.

Hi Tig,

Thanks for the details..However I tried searching for .CER files within the user profile backup folder but could not find any..I had some files within the RSA folder ..but they dont have any extension as such.. it looks like

RSA\S-1-5-21-762979615-2031575299-929701000-183524\6b29ae44e85efac3c72ff4d1865d73f1_c06fbe05-96d3-4921-a204-bf36b673b89c
there are around 10 such files with this kind of long names..
How can i found that which one is the required one..
Regards

 

[kapilkrb]

Hi Guys,

I got my solution ..please refer to
http://www.ehow.com/how_4739473_operating-system-files-still-intact.html
http://www.beginningtoseethelight.org/efsrecovery/

Cheers!!