Encyption Problem

Dear all,
I am in a very big trouble. I have delete an user account and I have two files database (2GB each) that have been encrypted. The only user I have now that is administrator cannot decrypt those files that are very important. I am wondering if there is some software that can decrypt the file. I have seen one that cost $150. Can anybody give me some help in this issue? Do you know a way that I can bypass the encryption even though I have lost the user account or do you know a good software that can decrypt it for me? Please answer, your help is greatly appreciate.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

How was it encrypted? EFS? If so, you're pretty much hosed.

No need to waste $150 on top of it. You won't be able to reverse that for decades (and that's a conservative estimate).

Essendon

dynamik wrote:

You won't be able to reverse that for decades (and that's a conservative estimate).

Aptly put.

royal

Is it an AD user? If so, I can think of 2 things:
1. ADRestore - http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx. ADRestore doesn't restore all attributes of the user but it may restore just enough to decrypt.
2. In an Active Directory domain, a Key Recovery Agent is required and the private key is stored in the Administrator profile on the first DC you promote. This is one important thing to note, always export this certificate and keep it very safe when you promote your first DC in case you ever demote it. You can take this certificate, put it on the client's computer, and you will be able to decrypt the file.

Another thing to note is if you manually deployed PKI, you may have (doubtful) requested that the Administrator get a EFS Recovery Agent certificate and distributed that out to all your clients which activates your clients to use that new certificate for the KRA for encrypting EFS. So you may need that certificate if you did all this which again, is doubtful.

If the system is a standalone workstation that is not a part of the domain, you'll need to use some other method such as the utility you found. But from what I've read, EFS is pretty much impossible to decrypt for a long long long time. So I'm not sure if the utility you found is for EFS, but doubtful.

Tontonsam

Thank for prompt answer. It was when I was demoting a server and It changed the administrator local user and I make this standalone server member of another domain. I need to recover those files cause it is very important. I want to give you the name of the software I found but don't know if I will be banned to the site. So, there's nothing I can do

royal

If it's a legitimate piece of software, which I would assume it is since it's a tool you would purchase, I would go ahead and post the name. I'm curious what tool it is.

So the system that had the files encrypted was part of the domain when you encrypted them? Go find your first DC that was ever promoted to a DC, grab the EFS recovery certificate, import it on your system, and you should still be able to decrypt the files.

dynamik

Was it a domain account? Had that user logged in at any other machine? I think that key is stored on any machine the user logs in at. It's stored in the user profile. Is the profile still on the disk?

Was that the last DC in the domain?

Tontonsam

The network had one DC that I have demoted. I created a domain in another server and make the server that i have demoted member in this domain. The server still keeps the user profile and this user is the local administrator. You will ask how could he change the local administrator profile, when i demote the server it asks me to give a password for the new local administrator. As the server keeps the old administrator profile, how I will find the key and how could i recovery it?
the name of the software is Advanced EFS Data Recovery.

royal

Try the following:
On the machine that contains the data, figure out which user encrypted the data and then find the profile which should contain the private key that was used to encrypt the data.

Create a new user and log in so the profile gets created.

Use moveuser.exe from the resource kit and copy the profile or move the profile in the system control panel or use something like forensit user profile migrator. Copy the profile to the newly created user's profile and allow the new user to use the profile.

After you have done so, you should have the certificate and have the private key in the profile. I would then try decrypting the data.

Tontonsam

Hi!
Excuse me for my answer very late. I had a long vacation. I tried what you suggest with a virtual machine. I create another user, encrypt a folder with the administrator account. Then, I copy the profile administrator to the new create user via control panel. But, when I log on to the another user to try to decrypt the folder, access is still denied. No way for this issue... I think.