Topic: "EFS decryption w/o key" (page 1 of 1)

1
Author Post
senoyFlat
groupmaster
Hi Everyone!

I've got a really big problem,and i would like some help.May be there is someone,who know the answer,or may able to help solve it.
So,the thing is,I encrypted a dictionary with EFS method and reinstalled the system(Win XP) after that.
Is there a method to decrypt the files?I have the user name/pwd,but as far as i know,the XP uses more info to encrypt files.
I would be really-really glad if someone could help. :(

Bye

Ps: Already tried Elcomsoft's Advanced EFS Data Recovery software,without result. :( Did not found the proper mas key.
private message EMail
aceldama
groupmastergroupmastergroupmastergroupmaster
BF?
private message
senoyFlat
groupmaster
BF? means BruteForce? Maybe. Can you recommend a program which able to crack this?

I thought to write one,only i don't know the EFS related Win32 API.I think i should apply precisely the opposite operations of the encryption to decrypt.
If someone could send some docs about this,then maybe i could start.

Thx.

PS: i know the password,so in theory it would be similar to a dictionary attack.
Edited by senoyFlat on 02.03.2009 08:12:53
private message EMail
Degenerate
groupmastergroupmastergroupmaster
From what I know I think you will need the keys. A bit of reading for you regarding the keys and recovery of EFS files:

Directly from Wikipedia:
http://en.wikipedia.org/wiki/Encrypting_File_System
Recovery

Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously-used public key(s). The stored copy of the user's private key is ultimately protected by the user's logon password. Accessing encrypted files from outside Windows with other operating systems (Linux, for example, or even another instance of Windows) is not possible — not least of which because there is currently no third party EFS component driver. Further, using special tools to reset the user's login password will render it impossible to decrypt the user's private key and thus useless for gaining access to the user's encrypted files. The significance of this is occasionally lost on users, resulting in data loss if a user forgets his or her password, or fails to back up the encryption key. This led to coining of the term "delayed recycle bin", to describe the seeming inevitability of data loss if an inexperienced user encrypts his or her files.

If EFS is configured to use keys issued by a Public Key Infrastructure and the PKI is configured to enable Key Archival and Recovery, encrypted files can be recovered by recovering the private key first.
private message
senoyFlat
groupmaster
Yeah,i read a lot about it.Everyone,everywhere says that's impossible without the keys.
Now i trying to recover the keys.Unfortunately the data recovery tools proved to be useless,considering the time passed since the XP reinstall.

Since i'm a beginner in encrypting/decrypting,i request help from you. :)
Is it possible to recover the keys,if i have a unencrypted part of the data?ie. there ara txt files among them containing simple text,and i know some of its content.Is it possible to find the key based on these datas?
I think about something like using hash functions while the result isn't match the encrypted part.

private message EMail
Degenerate
groupmastergroupmastergroupmaster
I don't think it has been shown to be vulnerable to a known plaintext attack, so I doubt that it will help you =[
private message

Topic: "EFS decryption w/o key" (page 1 of 1)

1