Getting around Windows XP EFS - AAAHHHH!!!

[Hephaistos]

Ok ok. I feel like charlie brown after kicking the footbal from lucy.... a complete idiot and loser.
That aside, I reformatted my system because everything was just going to a crawl. But i had forgotten that i encrypted a huge set of files from when i had this computer shared... no i have no certification to open the files
Please tell me someone knows a way around these. I heard i could convert to FAT32 and that would clear it up, but Partition Magic 8 says it will just give an error. I refuse to believe that this encryption is impossible to get around, hard perhaps, but not impossible.
Any information (other than "Tough Luck" ) would be helpful.

Thank you
-Hephaistos

 

[bacillus]

you could wipe the hdd using this

 

[Hephaistos]

That would be my last resort. I would like to save the data if possible.

 

[Derango]

You should have read the FAQ...the one that says you should back up your encryption keys to prevent somthing like this from happening.

 

[Hephaistos]

Yes, i should have, but i didn't.
I didn't even know exactly how the encryption worked. When i envoked it, it was just to keep others from looking at the data on this local machine and over the net. I thought it was just basically a "hide" feature more or less.
Now i know its more.

 

[Codewiz]

Originally posted by: Hephaistos
Yes, i should have, but i didn't.
I didn't even know exactly how the encryption worked. When i envoked it, it was just to keep others from looking at the data on this local machine and over the net. I thought it was just basically a "hide" feature more or less.
Now i know its more.

What would be the point of the encryption if you could just bypass it? It isn't much of an encryption if that was the case. IMO you are sh1t out of luck my friend.

 

[Hephaistos]

Yeah, i get the point of encryption, thats not too hard.
What i am asking is if anyone knows a way around it. A flaw perhaps? Or some trick of the trade?
There isn't a single protection out there that doesn't have a flaw, i just want to know if any body has figured it out.
Like what about a dos command that allows converse from NTFS to FAT32 that ignores the encryption part of a file, in turn erasing it.

 

[Abzstrak]

its a lesson U only have to learn once

 

[Toxic]

I don't think you are going to be able to get around it. Flaw or no flaw, you don't have enough computing horsepower to get around it.

Like Jack Handy said:

If you ever drop your keys in molten lava
Man, they're gone.

 

[Hephaistos]

I'm really surprised, i thought this of all places would be able to offer atleast some "risky" ways of recovering data.
But no, most of you have adapted to "Oh well, thats that attitude"

Thanks anyway, i'll keep looking elsewhere.

 

[cleverhandle]

I find it pretty amazing that when 4 or 5 different people - who see this problem come up about once every two weeks - tell you that you're screwed, you still don't believe them. If there were a way around this, we would have heard about it at least once in the literally dozens of posts about recovering EFS that I've seen.

Let's try again... you're screwed. Your data is not recoverable. Get on with life.

 

[bsobel]

Originally posted by: Hephaistos
I'm really surprised, i thought this of all places would be able to offer atleast some "risky" ways of recovering data.
But no, most of you have adapted to "Oh well, thats that attitude" Thanks anyway, i'll keep looking elsewhere.

I realize you must be horribly frustrated right now, but the reason that other user haven't offered any assistance, let alone risky assistance is that there is none to offer. There are zero currently known vulnerabilities in Microsoft's EFS implementation. A couple clarifications on what you asked/posted:

1) Reagarding your question about converting to FAT32, if you copy the encrypted files from NTFS to FAT they are decrypted when copied (since FAT doesn't support things that EFS needs). However, this only works when the system is up and you have access to the original files.

2) The only known attack would be a brute force attack against the encrypted data, unfortunately you don't have the hardware (lots) or the time (lots and lots of years) to peform such an attack.

Please realize that there is a physological issue around this, if your drive had crashed it would be easier to accept the loss of all your data. But since the data 'seems' to be there, it seems there should be some way to recover it. Unforunately when you reinstalled windows, for the purposes of those files, it was just as if the harddrive exploded into a zillion peices.

In the closing the barn door after the horse gets out department, please consider some sort of backup scenario moving forward. At least this way you won't have to go thru this again (I've lost raid arrays before that where supposed to be 'unloseable', I do know what a pain this can be). I usually backup critical files quarterly to DVD-RW, and then store them in a safe deposit box. But just keeping them at a friends or in your desk at work would be good (most backups let you set a password so if someone steals the backup set, they can't get the data).

Bill

 

[Codewiz]

Originally posted by: Hephaistos
I'm really surprised, i thought this of all places would be able to offer atleast some "risky" ways of recovering data.
But no, most of you have adapted to "Oh well, thats that attitude"

Thanks anyway, i'll keep looking elsewhere.

The reason you haven't gotten a "risky" way is because THIS ISN'T A WAY!!!!! I am sure Microsoft MIGHT know a way but I doubt it. Even if they did, they aren't going to tell because it defeats the purpose.

There are a lot of things that Microsoft have screwed up in the past but so far EFS has held up pretty well and there aren't any publically known flaws to get the data back.

 

[n0cmonkey]

Originally posted by: Hephaistos
I'm really surprised, i thought this of all places would be able to offer atleast some "risky" ways of recovering data.

Alright, I got a "risky way" for you. Break into one of the top secret NSA buildings, use the immense hardware they have to decrypt your donkey pr0n.

But no, most of you have adapted to "Oh well, thats that attitude"

No, its an attitude something along the lines of "Wow, Microsoft might have gotten something right, now if only their users were smart enough to read the directions!" The encryption used *NEEDS* that key. Without that key, there is not a whole lot you can do, except as bsobel said, brute force it. It would take you 100's of years atleast, even with half the computing power of Team Anandtech! Without that key the files stay encrypted, the filesystem will *NOT* affect this.

Your best solution, is to restore from backups. Forget the encrypted stuff, restore from a time when you burned it to cd, transfered it to tape, threw it on a floppy, burned a dvd and it wasnt encrypted.

Thanks anyway, i'll keep looking elsewhere.

You do that, Ill still be sleeping well. Good luck, and move on.

EDIT: Just wanted to mention, if there was a flaw, Microsoft would have released a patch and you would have applied it by now.

 

[Hephaistos]

I want to thank bsobel for actually giving a reason behind why i'm SOL, instead of just saying that and leaving me high adn dry.
I obviously don't know a great deal about encryption, and he's right that seeing that data and knowing its there is just salt in the wound.
I only have two choices after all the internet searching on this topic.
1. To somehow retrieve the certification by searching the drive. A long shot i know because i already installed an OS on the drive. But if anyone knows where these Certificates are located, i may yet have success in this.
2. I'll just have to bite the bullet and erase that section of the hard drive.

A last question, and i'm sure there will be tons of people trying to bash me for this question too.
Where is there a warning about the need for the Certification Key. I'm not planning on going after microsoft for my lost data. I just think it would be a really good idea if there was a little notice under the check box that says "Read me before you click". Atleast then i (and many others) might have figured it out before it was too late. Actually, less of a question, more of a complaint, just needed to get it out of me.

 

[AndyHui]

1. The Encryption certificates are not separate files, but attributes attached to your login. You will not be able to find them via searching your hard drive.

2. You will have to erase your hard drive.

3. That's precisely the reason why I wrote this, and point people to it regularly as well as on my main page update articles. I even had it stickied to the top of this forum for a while (although it's gone now....that's up to the mods).

 

[Hephaistos]

Thank you, i'll be sure to use that article should i ever get the odd sensation to encrypt data again.
I did have a final question then i'll leave it alone and i'm sure half of you that are reading this would love to sock me.
From everything i understood about this encryption, any user not allowed access can not view, modify, move, or delete these files. No if's and's or but's. Your last resort is to wipe clean the hard drive.
Now what i find odd is that, i just deleted the information from the hard drive (atleast from what i see and what the drive reports)...
how is this possible? Why do i have access to remove the data, but not to view or remove encryption?

 

[bsobel]

Where is there a warning about the need for the Certification Key. I'm not planning on going after microsoft for my lost data. I just think it would be a really good idea if there was a little notice under the check box that says "Read me before you click". Atleast then i (and many others) might have figured it out before it was too late. Actually, less of a question, more of a complaint, just needed to get it out of me.

I'm not going to bash you for asking that, I actually agree quite strongly. I do think it's a UI oversite that (at a minimum) the first time you do this a Wizard doesn't walk you thru setting up a EFS private key recover floppy/file. While Andy does point out he wrote a FAQ on it (and a good one), I do think the OS (in this case) should provide additional warnings to the user without presuming they will wade thru help or find a third party FAQ.

From everything i understood about this encryption, any user not allowed access can not view, modify, move, or delete these files. No if's and's or but's. Your last resort is to wipe clean the hard drive. Now what i find odd is that, i just deleted the information from the hard drive (atleast from what i see and what the drive reports)...
how is this possible? Why do i have access to remove the data, but not to view or remove encryption?

The files themselves to the OS are just normal data files, but there contents are encrypted. A special driver called the EFS driver sits ontop of NTFS (hooking file access) and decrypts/encrypts the data as it's read/written. As an administrator, you certainly can take NTFS ownership of these files and nuke them, even without the proper keys (you just won't be able to access the contents of the files). The OS doesn't need the file contents to perform the delete operation (the delete is really an MFT modification), so the delete succeeds. I missed the earlier comment about wiping the drive, there certainly wouldn't be any reason (that I can think of) to need to do that.

Bill

 

[Hephaistos]

Thanks for all the info, good stuff to know.
I guess on the plus side i got 8 gigs back to play with.... heh... **sob**

oh well, thats that.
On with life.