Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Recovering deleted encrypted files

Status
Not open for further replies.

thebe14

Programmer
Jun 2, 2005
4
RO
Hello,

I need to recover the content of a deleted encrypted file from a NTFS volume. I can read the file's content by directly accessing the volume (reading and decoding MFT, data runs and all that candy). I see that encrypted files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is $EFS). I need to interpret the content of this, the goal being to obtain the (encrypted) FEK (file encryption key).

From the info I could gather so far, this data consists of:

struct EFS_INFO_HEADER
{
DWORD m_dwSize;
DWORD m_dwVersionMinor;
DWORD m_dwVersionMajor;
DWORD m_dwUnknown1;
BYTE m_Checksum[32];
BYTE m_Unknown2[?];
// count of DDF entries
// the DDF entries
// count of DRF entries
// the DRF entries
};

struct EFS_DDF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};

struct EFS_DRF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};

Anyone knows more about these structures, where are they defined, where can I find more about them? Some of these structures seem to have members that are sometimes missing, and I cannot decide how to handle this.

Another approach would be to use the WriteEncryptedFileRaw API and then I feed it with the necessary data in the callback function, essentially attempting a restore directly from the deleted file. Again, I see by attempting to use ReadEncryptedFileRaw that the data this API stuffs into my callback function on backup is some header, followed by the $EFS attribute (slightly modified!), then some addional data, probably another header, then the encryped content, interrupted every now and then by some unknown data. I have no documentation for any of these, thus I cannot manually construct the data stream to feed into the callback function for WriteEncryptedFile.

Any info, hint, pointer in the right direction would be welcome. Thanks a lot.

Regards,
Levente
 
MSDN said:
NOTE: If you do not have access to a Recovery Agent's account with a valid recovery key, you cannot recover the data. There is no workaround in EFS.
Eh?..
 
I agree. But this is not something I want avoid. I am looking for a solution to recover a file to which I had access (either because I am an authorized decrypter of the file, either because my account is listed as a recovery agent in the domain/local policy) before the file was deleted.

Thus, I either recover the encrypted FEK and then will attemt to decrypt it with all private keys I own, either I find out what is the structure of the buffer I should feed to WriteEncryptedFileRaw so that the OS does the decryption for me.

Again, I do not want to recover foreign files (from other users of others systems/domains).
 
There are lots of MSDN articles about encrypted files recovery (with EFS Recovery Agents, previously saved keys etc).
 
No, there are not! All I could find assumes that the file EXISTS! Don't you get it? I cannot simply recover the file, because I can only READ directly from the volume (and then interpret the structures, MFT, etc) and this direct read yield the encrypted content. I could write this encrypted stuff to a new file, but then how do I tell the OS that the new file is encrypted? I CANOT AND DO NOT WANT to take the chance to manually write to the disk. This means that I must use regular techniques to create the recovered file (e.g. CreateFile). Thus, I need to get the original/plain content of the deleted encrypted file. And I need info about the strucutre(s) involved in any one of the cases I described in my first post. Now it's clear?
 
I did a search in the Windows sdk header files, and didn't see the structures you're wanting. I suspect they're available in the ddk, which I don't have loaded.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
No they are not in the DDK either. I have three DDKs installed (WinME, WinXP and the IFS Kit for Win2003) and I cannot find anything about this. Any idea what to search for (as EFS does not work)?
 
If you're a MS premier partner, sounds like time to get on the phone with them.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
thebe14,

I've been using a program called Advanced EFS Data Recovery, but it does not work on encrypted files that I recovered after being deleted. Is this the same problem you are having? If so, please let me know if you found a solution.

Paul
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top