RE: Decrypt File

From: Jason Normanton (netprouk_at_netprouk.com)
Date: 05/17/03

  • Next message: Jim Barrett: "RE: Decrypt File"
    To: <guanghuyang@yahoo.com.cn>
    Date: Sat, 17 May 2003 20:45:43 +0100
    
    

    Hi guys,
                    There is a way around this with EFS if you have
    "accidentally" reinstalled the machine without saving the recovery agent. I
    have had to save lots of data this way :

    For a non domain or domain member system:

    1 if o/s has been re-installed re-boot machine into safe mode
    2 in properties for the encrypted data re-assign the new local admin account
    certificate to the files as the recovery agent and take ownership of the
    files
    3 reboot the machine as normal the data will now be recoverable from the
    admin account.

    Regards,

    Jason Normanton
    Senior Consultant (Directory Services Security)
    http://www.Netprouk.com

    -----Original Message-----
    From: David Gillett [mailto:gillettdavid@fhda.edu]
    Sent: 15 May 2003 20:22
    To: 'James Yang'; security-basics@securityfocus.com

    > -----Original Message-----
    > From: James Yang [mailto:guanghuyang@yahoo.com.cn]
    > Sent: May 14, 2003 20:39
    > To: security-basics@securityfocus.com
    > Subject: Decrypt File
    >
    > My system occurred problem yesterday. I backuped my files
    > and then reinstalled my W2K system. After I copied back my
    > files I found I couldn't open the encrypted files. How
    > can I open, could anyone give me a tip. Thanks.

      I'm assuming that by "encrypted" you mean you've been using
    EFS (Encrypted File System), and that by "reinstalled" you mean
    something like "did a clean format and brand new installation".

      EFS files can be decrypted and re-encrypted by the owner, or
    decrypted (only) by a designated recovery agent -- by default,
    the administrator account.
      If you did a clean installation, the new installation has its
    own administrator account and (probably) personal account for
    you. None of the accounts from the previous installation exists
    any more.

      I recommend, when people ask me, that EFS only be used in a
    *domain* context. That way, the default recovery agent is the
    domain administrator account, which will survive reinstalls of
    individual client machines, and even (if there are multiple
    domain controllers) reinstalls of any single domain controller.
      I do not recommend its use on single stand-alone machines,
    because if neither the owner nor recovery agent account exists
    any more, your third alternative is to try to convince the FBI
    that Al Qaeda has hidden data in your encrypted files -- allegedly
    they've cracked EFS (although I suspect that what they actually
    did in Afghanistan was crack the administrator password, and that
    won't help you now).

    David Gillett

    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register
    Now!
    --UP TO 30% off classes in select cities--
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    --UP TO 30% off classes in select cities--
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------


  • Next message: Jim Barrett: "RE: Decrypt File"