Dear Richard, I was able to recover another user's encrypted files from a Windows XP without the user's private key in the past. So I have some experience in this area. I agree with Chetan Gupta E-mail below, but wanted to add some info.
Windows XP doesn't have a Recovery Agent by default for new installations of windows XP. However, if the computer was previously a Windows 2000 computer and was upgraded to Windows XP, then XP will inherit the default Windows 2000 Recovery Agent, which is the local administrator. Of course since the system drive has been wiped, the private key for the local administrator probably has been lost. This paragraph is only true if this is a standalone or a workgroup computer. If the Windows XP computer you got the encrypted files from, was a domain computer, then by default the domain administrator account is the Recovery Agent. When I say domain administrator, I mean the actual domain administrator account that has the username "administrator". Just being in the domain administrator group doesn't make someone a Recovery Agent. If the computer was in a domain, check the domain GPO to see who was the Recovery Agent is. I don't remember the exact location of this information. I know it is in the computer settings side. Look for a security folder, then a public key policy folder, then lastly a Encrypted File System folder. The EFS folder will contain the list of Recovery Agents. Within that list is a EFS recovery certificate for each Recovery Agent. You can export the private key from that certificate and import that key to the machine you are using to recover the encrypted files. You must login as the Recovery Agent account which by default will be the domain "administrator" account. I would look at your top most GPO in your domain architecture for this information. Hope this helps Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chetan Gupta Sent: Wednesday, January 03, 2007 5:49 To: Rikard Johnels Cc: [email protected] Subject: Re: recovery/forensics of NTFS encrypted folder. Dear Richard, I haven't tried it yet but should be worth trying out. Let me tell you my understanding of how EFS works. When a user encrypts a file using EFS for the first time, then a public/private key pair is generated and a FEK (File Encryption Key) is generated. This FEK is a symmetric key which is used to encrypt the file. This FEK is then encrypted with the public key of the user (also known as Recovery Agent) and this encrypted FEK is then stored in the header of the file. When the file is opened, the user's private key is used to decrypt the FEK, and the FEK in turn is used to decrypt the file. The whole process is transparent to the user. Also, the user may wish to install more than one recovery agent. Quoting Microsoft, "A Recovery Agent is a user who is authorized to decrypt files belonging to other users. The chief use of this feature is to allow files to be decrypted in the event that the original owner loses the key. Whenever a file is encrypted by EFS, EFS also creates a copy of the key that is accessible by the Recovery Agent. By default, administrators are Recovery Agents - the local administrator in the case of a local user, and the domain administrator in the case of a domain user. However, the list of Recovery Agents can be customized via security policy." In Windows 2000, the administrator is by default the recovery agent, capable of decrypting all files encrypted in EFS. In Windows XP and on, there are no default recovery agents i.e only the owner is the default recovery agent. In Windows XP and beyond, the private key is encrypted using the hash of the user's password and user name, and therefore it is impossible to recover the private key without knowing the user's password. If syskey protection is enabled in any of the two higher modes of security, then resetting the user password won't allow you access to the private key since the key would be encrypted with the original password's hash (in Win XP). However in Win2K, as far as my knowledge goes, the keys are not encrypted using the hash and so resetting the password would allow you access to the private key of the user. In a nutshell, you do need the private key of the recovery agent to decrypt EFS files. Now in your case, you have the password but no private key, so it would be really difficult (read next to impossible) to decrypt the data. Alternate approaches that may be suggested are that you copy the data to a FAT drive so that the encryption attribute is removed automatically. or you brute force the FEK encryption. But I guess that would work only if you are the owner of the file and when the file is being copied, the file is decrypted first and then copied to the FAT drive. But if you are not the owner, I guess all you will get is garbage data since there won't be any automatic decryption. Brute-forcing may be computationally infeasible or take ages to succeed nullifying the whole idea of decryption. I don't know how much of this was of help to you but do correct me if I was wrong anywhere. Cheers, Chetan G -- Chetan Gupta GCFA, CEH, CCNA, CIW Sec. Analyst Head, Forensic Services NII Consulting Pvt. Ltd. Email: [EMAIL PROTECTED] Mobile: +91 9867780965 Web: www.niiconsulting.com ------------------------------------------------------ Online Computer Forensics Magazine http://www.niiconsulting.com/checkmate Comprehensive Incident Response and Forensics Services http://www.niiconsulting.com/services/liveresponse.html ------------------------------------------------------ Rikard Johnels wrote: > On Tuesday 02 January 2007 08:09, you wrote: > >> Dear Richard, >> >> You could try EFS key from Passware but to retrieve the files, the >> encryption password must be known or SAM database must be present. >> >> > Will this retrieve the key if the password is known? > And thus enable us to recover and investigate the data? > The SAM is destroyed by the wipe done prior to us receiving the drive. > The password might be available. > > > >> There is also Advanced EFS Data Recovery from Elcomsoft available at >> http://www.elcomsoft.com/aefsdr.html >> But again it requires the EFS key to be present or the user password and >> syskey to be known to the user. >> >> HTH >> >> Chetan Gupta >> > > -- Chetan Gupta GCFA, CEH, CCNA, CIW Sec. Analyst Head, Forensic Services NII Consulting Pvt. Ltd. Email: [EMAIL PROTECTED] Mobile: +91 9867780965 Web: www.niiconsulting.com ------------------------------------------------------ Online Computer Forensics Magazine http://www.niiconsulting.com/checkmate Comprehensive Incident Response and Forensics Services http://www.niiconsulting.com/services/liveresponse.html ------------------------------------------------------
