De-crypt EFS Files
-
EFS wasn't setup with GPO for the whole domain, it was done by user alone. Single machine.
Cant export the private key.....This is in the default domain policy. No other machine have encrpyted files, this is just there for recovery.
I am logged into the old DC as the said user in the screenshot and trying to decrypt data the user put on a shared drive that it was copied off of, still get access denied.
-
Fail
-
@texkonc Not good, I tried helping by SW but obviously the failure to have the private key will be limiting..., can you join the computer back to the old domain for the time being?
-
@texkonc said in De-crypt EFS Files:
EFS wasn't setup with GPO for the whole domain, it was done by user alone. Single machine.
Cant export the private key.....This is in the default domain policy. No other machine have encrpyted files, this is just there for recovery.
I am logged into the old DC as the said user in the screenshot and trying to decrypt data the user put on a shared drive that it was copied off of, still get access denied.I would expect this to fail. From your description, the user setup encryption on their own system. They then placed those encrypted files onto the server share. The server knows nothing about the encryption, and wouldn't have a reason to have the key since the user did it completely locally, not at a domain level.
-
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
EFS wasn't setup with GPO for the whole domain, it was done by user alone. Single machine.
Cant export the private key.....This is in the default domain policy. No other machine have encrpyted files, this is just there for recovery.
I am logged into the old DC as the said user in the screenshot and trying to decrypt data the user put on a shared drive that it was copied off of, still get access denied.I would expect this to fail. From your description, the user setup encryption on their own system. They then placed those encrypted files onto the server share. The server knows nothing about the encryption, and wouldn't have a reason to have the key since the user did it completely locally, not at a domain level.
I agree. Thisi s a system whose sole purpose is to prevent recovery in this situation. If you CAN recover, it will have made the encryption totally pointless from the get go.
-
That's why, in a Windows domain environment, the System Administrator should have properly set up an EFS recovery certificate.
This way, any domain user who encrypts something, can get it decrypted with that EFS recovery certificate (which should be stored in a locked place for when needed).
It can be very useful in cases where a user encrypts something and has no idea how it works and never backs up their key, or the IT department doesn't know about the encrypted files and re-images or trashes the computer before backing up the users key.
Everyone with a Windows domain should have some type of EFS recovery certificate set up if their policy allows it to be done, and that recovery key should be carefully managed.
-
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
-
I really think that this is a lost cause. If there was any path to recovery, Microsoft's EFS would be all in the news for having been completely broken.
-
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
-
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
-
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
Toss it in AWS, still be hugely expensive, but through thousands of servers at it for a few hours/day/months/years
-
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
Toss it in AWS, still be hugely expensive, but through thousands of servers at it for a few hours/day/months/years
That would be WAY more expensive.
-
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
Toss it in AWS, still be hugely expensive, but through thousands of servers at it for a few hours/day/months/years
That would be WAY more expensive.
it should also be WAY more faster.
-
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
Toss it in AWS, still be hugely expensive, but through thousands of servers at it for a few hours/day/months/years
That would be WAY more expensive.
it should also be WAY more faster.
How? Logically it would be way slower.
-
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
Toss it in AWS, still be hugely expensive, but through thousands of servers at it for a few hours/day/months/years
That would be WAY more expensive.
it should also be WAY more faster.
How? Logically it would be way slower.
eh? throwing massively parallel computing at it? Maybe AWS was the wrong tech - I mean whatever term is needed to mean massively parallel processing.
-
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@scottalanmiller said in De-crypt EFS Files:
@dashrender said in De-crypt EFS Files:
@texkonc said in De-crypt EFS Files:
I have tried many different methods today logging her machine into the old domain, the program that was used ProfWiz, moved the certs I was able to copy them back. Still no luck after many tries.
Boy this data must be worth a fortune. Considering your wage and the amount of time you've spent on it.
And they are considering things like $300 software that will require a dedicated server farm to run for years!! Imagine the cost!
Toss it in AWS, still be hugely expensive, but through thousands of servers at it for a few hours/day/months/years
That would be WAY more expensive.
it should also be WAY more faster.
How? Logically it would be way slower.
eh? throwing massively parallel computing at it? Maybe AWS was the wrong tech - I mean whatever term is needed to mean massively parallel processing.
That would be local hardware with big GPU cards.
-
Did you end up trying out some decryption software?
-
@reid-cooper said in De-crypt EFS Files:
Did you end up trying out some decryption software?
I did what I could, got some recovered, but not all. Left detailed notes in the ticket while Iām at spiceworld, they (other techs) have a little under a week to get the rest recovered while Iām gone.
-
But no software was used yet.
-
How did you recover what you managed to get?
