Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to recover/decrypt my encrypted files, or recover my private key?. Same comp


  • Please log in to reply
9 replies to this topic

#1 Mark7968

Mark7968

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 25 August 2015 - 10:34 AM

On the 22nd of this month, my computer shut down when I was away. I still have no idea whether it shut down by itself or it was a power cut. 
 

But when I reached it, and started the PC I found that all the apps and user data missing. Nothing configured as before, no shortcuts, none of any application that I own has its configurations. 
I had to finish work and had to have my user account configured files, as before in. So I made a local account, deleted my Microsoft user account, then re-add it again, same Microsoft account, same email, same password; I thought it would sync everything, and everything would be fixed (
 It didn't.), in that rush, when asked by windows (while deleting my user account) whether to delete user data or keep, I like instantly chose delete data.
What's more disastrous to soon realise, is that I didn't take caution about my encrypted files. Which later I couldn't manage to access any of my windows encrypted files at all, my life are in those files.
All encrypted files are under the sword of just a private key or a certificate or whatever windows is saying, I can't figure anything anymore.
I tried to remember anything, whether I might had backed up a key somewhere( don't know it's this relevant key or another one, still) .
I searched for it and found the key, it seems recent, though, I found it inside an already encrypted folder, which by its turn, made the key file itself also encrypted, is that it seems that i backed up the key to an already encrypted folder.
 

Now everything seems horrendous, those files are literally my life, without then I'm..., don't know what to say. These encrypted files are my life my work and my family, I am seeking any help that could aid in recovering anything. 
The Microsoft account is the same I always used and it has the computer name linked to it. 

Few caveat things could had led to that; so few more clarifications, I would add.

 

  1. The night that I left my computer and went away, I, for no reason, but feeling anxious & worried, from the constant windows 10 crashes/bugs since my upgrade, was decrypting all my files on the disk ( I hope it did that earlier), and because it showed that it'd take long time, I left the computer for the whole night, doing it, which by next morning, found it shut down as I said earlier.
  2. Since the problem occurred, and till now, I have managed to recover deleted data, as I could, there are many files, some are from the user folders in the windows Users folder.
  3. I managed by going to machine certificates to recover all the available certificates, even the one that has the same thumbprint.
  4. Another thing to mention ( I don't know whether it would help or not), is that before upgrading to windows 10, I was using a local account, and when I made the a new user by my Microsoft account, Outlook email address, the user name for the user profile has been named after the first few letters of my email address. I wanted to change that to be my usual user name that I always used, so I went and renamed the user (first few letters of my email address) to be what I wanted, from 'Computer Management'

I wish someone has a real technical solution, I have been doing everything I know since the problem occurred, but all boils down to my own limited knowledge. 
Any legal procedures needed, will be taken by immediately. I have nothing more important than to recover my files.


Edited by Mark7968, 25 August 2015 - 10:38 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:26 PM

Posted 25 August 2015 - 11:10 AM

If I'm understanding correctly...you normally encrypt files on your system?

 

By what method?

 

Louis



#3 Mark7968

Mark7968
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 25 August 2015 - 11:19 AM

If I'm understanding correctly...you normally encrypt files on your system?

 

By what method?

 

Louis

No not normally. But I'll say that I didn't take any caution that anything could happen under Windows, and I was easy on encryption as if it's a normal property of file.
It's the basic windows file encryption, EFS. 



#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:26 PM

Posted 25 August 2015 - 12:08 PM

See NOTE at http://windows.microsoft.com/en-us/windows/what-is-encrypting-file-system#1TC=windows-7 .

 

Louis



#5 Mark7968

Mark7968
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 25 August 2015 - 02:12 PM

I read it, but can't get what you are trying to say, would you clarify more.

I'm on windows 10 actually, later was on 8.1



#6 mgrzeg

mgrzeg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 28 August 2015 - 07:06 AM

Are you an administrator of your system and have full access to the computer?

 

m.g.



#7 Mark7968

Mark7968
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 28 August 2015 - 07:32 AM

Are you an administrator of your system and have full access to the computer?

 

m.g.

Yes I'm the administrator and have full access.

It's my personal home computer.

I still have it un-formatted, so same machine name, and I do have recovered the deleted data from my user folder that I deleted.

Update#: At the moment, I'm trying to put the same folder again, but although the user is made by my microsoft account, meaning it has the same user name, it keeps suffixing any user I do by machine name, so I'm currently unable, or don't know how I could refit my old user folders in to the new one.



#8 mgrzeg

mgrzeg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 28 August 2015 - 07:52 AM

To recover the files encrypted with EFS you need:

- data from $EFS and $DATA streams for each encrypted file;

- some of user' profiles directories %APPDATA% stays for the application data directory of the user, who has encrypted the files (usually something like c:\users\mark\appdata\roaming):

 %APPDATA%\Microsoft\Crypto (contains the RSA private keys)

 %APPDATA%\Microsoft\SystemCertificates (contains the certificate files used to create the FEK for EFS)

 %APPDATA%\Microsoft\Protect (contains DPAPI master keys)

- the password (or at least the SHA1 hash of the password) of the user

and some luck :)

 

Unfortunately I don't have a full solution that can be used by anyone to recover the keys, but made some research that could help. If it's ok for you to send me some of the data I mentioned above, I hope I could help you.

First we need the contents of the %APPDATA% for that user and the contents of the $EFS alternate data stream of one of the encrypted files. Could you provide the data?

 

m.g.



#9 Mark7968

Mark7968
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 29 August 2015 - 08:34 AM

To recover the files encrypted with EFS you need:

- data from $EFS and $DATA streams for each encrypted file;

- some of user' profiles directories %APPDATA% stays for the application data directory of the user, who has encrypted the files (usually something like c:\users\mark\appdata\roaming):

 %APPDATA%\Microsoft\Crypto (contains the RSA private keys)

 %APPDATA%\Microsoft\SystemCertificates (contains the certificate files used to create the FEK for EFS)

 %APPDATA%\Microsoft\Protect (contains DPAPI master keys)

- the password (or at least the SHA1 hash of the password) of the user

and some luck :)

 

Unfortunately I don't have a full solution that can be used by anyone to recover the keys, but made some research that could help. If it's ok for you to send me some of the data I mentioned above, I hope I could help you.

First we need the contents of the %APPDATA% for that user and the contents of the $EFS alternate data stream of one of the encrypted files. Could you provide the data?

 

m.g.

Hi m.g.
I could provide the %APPDATA%, but the others, the %EFS & %data, I don't know how to get them!, I'm seeing how this could be done at the moment, so that I'd send them too.

Where would you want to receive the files?

 

And regarding the nature of those files, how are you gonna provide me a solution while not on my computer?.

 

Thanks m.g., 



#10 mgrzeg

mgrzeg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 September 2015 - 11:38 AM

Hi,

 

sorry for the silence, I hope I can still help you.

To access the data from the NTFS attributes you can use TSK (The Sleuth Kit) [LINK]. Use the mmls.exe, fls.exe, istat.exe and icat.exe to access the data. Unfortunately I can't provide you full description of the process, but you can look at my blog entry (sorry, in polish :((() and try to do it yourself [LINK].

As for the files - you can use the 7-zip to compress them with some arbitrary password and then upload the .zip (.7z) file to the dropbox, zippyshare.com, onedrive and give the link in the answer, but the password send as a private message.

As I said before, I don't have a full easy-to-use solution, so I can't provide you a simple tool. I hope we'll be able to recover the RSA keys and then try to decrypt all data. I've described all the process in details on my blog, so it's possible to do it by yourself, but you'll have to create some tools...(see: [PART1], [PART2] and [PART3]).

 

m.g.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users