Backup data encrypted but don't know how it got that way. 1

[gardentech]

I posted this in another forum and then found this one.

I am in a horrible dilemna and everyone I have talked to say that I'm flat out of luck.

I have a C: and D: drive on my desktop. It is part of our home wireless network. There was years of "junk" on my computer so I decided to clean it up. I gathered all my data into one folder and did a back up and then reformatted the C drive. When I went to restore the data it was encrypted and now of course the FEK is gone. We don't know HOW it got encrypted. And, of course, the network administrator (my husband) had not set up any data recovery agent. We are running Windows XP Professional. I have recovered the individual data files that existed before I put them all into the backup folder. But each one of them is encrypted. Since I did not encrypt them I did not make a copy of the FEK. We are stymied as to how it happened.

Anyway, we've been told that I just put my data into a safety deposit box, locked it, threw away the key, and don't remember what building I put it in.

Anybody know of a forensic recovery specialist or "hacker" that can decrypt my stuff. My whole life is in that data! Seven years worth of photos, Financial & Medical information, and 20 years of horticulture research!

HELP! But I'm not holding my breath - trying to come to terms with the loss but in denial.

Pam

 

[Spirit]

Number one do not use the hard drive any further. Do not turn on do not do ANYTHING except remove it.

You "may" be able to recover the FEK even though you've formatted the drive, even though you've formatted it that dosen't make the files magically vanish.

There's a lot of tools out there that will scan and recover data from formatted drives with varying degree's of success. I would seek pro to do it, not a mates son or anything it will cost ££££'s.

Tell them exactly what happened and what you need.

Anyway, keep the encrypted files, in a few years time you'll probably be able to decrypt it using your toaster!

Good Luck,
Iain

 

[gardentech]

I have had professionals try to recover data -(they said they spent about $1800 in man hours on it but with no results. They didn't charge me anything but I paid them something anyway.) They could recover my encrypted data but not the FEK key. I thought that was hidden...... How do you find it?

 

[Salem]

Just searching the web -

http://www.elcomsoft.com/prs.html

Providing your key isn't that large, it's just brute force try every one until it finds the key that works.

One thing which will greatly improve your chances is having some decrypted versions of your encrypted files. This is called "known plaintext".
So if you've got some of those, then make really safe backup copies of them for later on, they could come in useful.

Also not an expert in this by any means...


--

 

[diogenes10]

Hi,

Here is a link for a security site:

http://www.governmentsecurity.org/forum/index.php

Might be worth a try to ask there if anyone has any ideas on how to recover one of those keys.

 

[TheMisio]

Hi gardentech,

You don’t mention if you use any encryption software. The only way files can be “automatically” encrypted on a Windows XP is using EFS (Encrypting File System).
EFS only works on NTFS partitions. The easiest way to recover you encrypted files is to restore them to a FAT or FAT32 partition. FAT does not support file encryption. It is the oldest trick to recover files scrambled by EFS. Get any drive (can be external) that has got FAT or FAT32 partition and restore the files onto it. It will work.

Let me know how it worked.

Michael

 

[gardentech]

Michael,
How do I determine if a partition is FAT or FAT32? I can't remember where to look?

Pam

 

[bpinning]

Hey,

Do it from Computer management and click on disk management and then the properties of the drive.

Brett

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.eyetstore.com

NSW, Australia
(Unless you want to pay for our trip?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[12345666445]

Hello my name is Victor and I had absolutely same problem about a year ago.I bought 3 different software (Recover My Files, Search and Recover,O&O (most expensive))but couldn't get any data from my 80 GB (So waste of money).I was shocked because all my projects for the past 4 years was on that HD and I had to give a presentation in 2 weeks. I called Drivesavers been quoted for $1000-$5000 I was terrified .I looked on the Internet for some local companies in NYC ( Bnytech Inc )end up paying $550 and got my 50Gb data in 3 days. From now on I back up all my files on two external hard drives.

 

[gardentech]

I have tried restoring the backup to a Fat32 laptop but it said it did not support the data format being transferred. All the folder and file names restored but 0 bytes of data!

 

[gardentech]

User 12345666445,

What exactly did you look for on the internet? Data recovery or Unencrypting files?

Your back up data was encrypted?

I've googles data recovery specialists but none that could unlock the Windows Xp EFS system.

 

[12345666445]

To gardentech.
I looked for local data recovery company on the internet.
Yes, data was encrypted.

 

[TheMisio]

Hi gardentech,

Have you tried this?
- Restore the backup to a NTFS partition (which hopefully will work)
- Copy the restored files to a FAT or FAT32 partition. You can copy it across the network to another machine with FAT disks.
- Also you can simply burn the restored files to CD or DVD as these don’t copy the security / encryption information

Please let me know how it went.

Michael

 

[gardentech]

Michael,
I have tried to copy the restored files to my laptop which was FAT32. The error message I got said that the target file system did not support the data being copied. All the file names were copied but 0 data was sent.

Restoring the backup to a NTFS partition doesn't work. It just restores encrypted files. All the encryption keys were lost when we formatted my C drive and all it's partitions.

All my files were on my D drive when we backed them up. When we restored the backup to my D drive it overwrote all the existing files because for some reason they were hidden. I used a data recovery program and have all those back but they are also encrypted files.

I just found out that the backups that we put on the network server were lost when my husband tried to install the new VISTA and the server crashed. So all I have now are the restored files that are now .efs files.

We haven't tried burning the files to a DVD yet but I don't see how that would negate the encryption. If it were that easy anybody could decrypt data if they had a DVD burner. Am I understanding that correctly? I will try it though.

Right now I am in communication with some forensic data recovery specialists who use technology developed by the FBI/CIA to break encryptions. DOn't know yet if they will take on my project.

Thanks so much for your input! If you have any other suggestions I will try them.

Pam

 

[TheMisio]

hi gardentech,

OK. If we can’t circumvent the encryption, let’s reset it.
Picture the scenario: An employee (i.e. an accountant) encrypts the data and leaves the company. Now the new accountant needs to access the data. There must be a way of resetting the permissions and encryption of the files. And there is one:

- Restore the files to your NTFS partition as normal
- Log on to the computer onto which you’ve restored the files as a Local Administrator (this must be a local administrator account, not a user that belongs to an Administrators Group)
- Go to the “security” tab of the file / folder
- Go to “advanced”
- Go to “owner”
- Highlight the Administrator account and tick the “replace owner on subcontainers and objects”
- Click OK

Now you need to grant the Administrator account access to the data in Permissions tab.
Once you’ve taken the ownership of the file / folder you can reset encryption. Go to the properties of the folder, click advanced and clear the “encrypt contents to secure data”. This should give you a full access to the data.

Look, if you need a step by step help how to do this, let me know. This can be easily done without the need to pay a lot of money.
You can read more about encryption here (under the Recovery Agents section):

http://www.windowsnetworking.com/articles_tutorials/Protecting-EFS-Encryption-Keys.html?printversion

Please let me know if it worked.

Good luck

Michael

 

[gardentech]

Michael,

Thanks, but that didn't work either. I think the encryption key has to still be on the hard drive in order to do this.

Still grasping for straws so send any other suggestions you have.

Thanks,
pam