To recover the files encrypted with EFS you need:
- data from $EFS and $DATA streams for each encrypted file;
- some of user' profiles directories %APPDATA% stays for the application data directory of the user, who has encrypted the files (usually something like c:\users\mark\appdata\roaming):
%APPDATA%\Microsoft\Crypto (contains the RSA private keys)
%APPDATA%\Microsoft\SystemCertificates (contains the certificate files used to create the FEK for EFS)
%APPDATA%\Microsoft\Protect (contains DPAPI master keys)
- the password (or at least the SHA1 hash of the password) of the user
and some luck
Unfortunately I don't have a full solution that can be used by anyone to recover the keys, but made some research that could help. If it's ok for you to send me some of the data I mentioned above, I hope I could help you.
First we need the contents of the %APPDATA% for that user and the contents of the $EFS alternate data stream of one of the encrypted files. Could you provide the data?