Can't access recovered EFS encrypted files

Discussion in 'privacy technology' started by nettech98, Aug 18, 2016.

  1. nettech98

    nettech98 Registered Member

    Joined:
    Aug 18, 2016
    Posts:
    3
    Location:
    NJ
    A corporate user's Windows 7 Enterprise HD crashed. Multiple PSTs were saved in an encrypted folder. A data recovery service was able to recover virtually all the data and provide it on a USB stick, however the PSTs no longer think they're encrypted. They are not displayed in green, and do not have the Encrypt checkbox checked. They obviously were not decrypted by the service, but I need help in figuring out how to gain access to these files. If necessary I have the contents of the Crypto and Protect folders.
     
  2. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    EFS encryption is very dangerous. If the original Windows user account under which the EFS encryption was created is gone, there is no way to recover the encrypted files. BitLocker is a lot safer in this sense.
    Anyway, I don't think there is a way to recover these PST files. I mean, to decrypt them to a usable state.
     
  3. nettech98

    nettech98 Registered Member

    Joined:
    Aug 18, 2016
    Posts:
    3
    Location:
    NJ
    It's an Active Directory user account, so in that sense the account still exists.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    That's not completely true - what is the case, as with any encryption, you have to responsibly manage passwords, keys, headers, certificates recovery etc., otherwise you can indeed be locked out. That clearly includes managing user accounts and the retirement process (which would normally include making the account inactive). And you can have non-AD accounts on different machines with the same EFS certificate and able to read the same file. In the case of EFS it nags you to do the right thing regarding certificate management, and there is extensive advice on best practice in the corporate/enterprise space that the sys admin "should" have fixed up for the end user - EFS has the advantage of being pretty much invisible for the user like that.

    That said, I personally do not attempt to manage EFS certificates this way, it's a purely local arrangement for the account, and I don't really care if the local disk fails, because my backup is not tied to EFS.

    I confess I don't understand the OP to the extent that, provided the above applies and the user's EFS certificate is available, then it should be possible to decrypt the pst files as far as EFS is concerned - if the service decrypted other EFS files, then it would do the exact same thing to the psts, nothing special about them (we're not talking about Exchange here I assume). Of course, the user might have applied separate encryption on the pst files, but that's a different matter.
     
  5. nettech98

    nettech98 Registered Member

    Joined:
    Aug 18, 2016
    Posts:
    3
    Location:
    NJ
    Part of the problem is that Windows no longer recognizes these files as encrypted. I don't know if that means that the encryption 'flag' got stripped off during the recovery (the files could not have been decrypted), or if something else is missing from the equation.
     
Loading...