Advanced EFS Data Recovery (AEFSDR)

Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover (decrypt) files encrypted on NTFS (EFS) partitions created in Windows 2000, Windows XP and Windows Server 2003. Files are being decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys (private or master) have been tampered. Besides, decryption is possible even when Windows is protected using SYSKEY. AEFSDR effectively (and instantly) decrypts the files protected under Windows Server 2003 (Standard and Enterprise), Windows XP (including Service Pack 1) and all versions of Windows 2000 (including Service Packs 1, 2, 3 and 4).

Requirements :
· Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003
· Administrator privileges (for direct disk access)

Known problems and limitations:
· The program can decrypt protected files only if encryption keys (at least, some of them) are still exist in the system and have not been tampered.
· Only Basic (but not Dynamic) NTFS partitions are supported.
· For files encrypted on Windows 2000, if Account Database Key (SYSKEY) is stored on floppy disk, or if Password Startup option has been set, you should know/have one of the following in order to be able to decrypt the files:
· startup password or startup floppy disk
· the password of user who encrypted the files
· the password of Recovery Agent (if one is available)
· If password of the user (who encrypted the files) has been changed after encryption, you may need to enter the old password into the program.
· If files were encrypted under Windows XP (with or without SP1) or Windows Server 2003, the password of user who encrypted the files (or Recovery Agent) is needed for decryption.
· The program has been tested only on files encrypted on U.S. versions of Windows; if any other (international) version has been used, correct work is not guaranteed.

The Encrypting File System (EFS) that is included with the Windows 2000, Windows XP and Windows Server 2003 operating systems provides the core file encryption technology to store NTFS files encrypted on disk. EFS particularly addresses security concerns raised by tools available on other operating systems that allow users to physically access files from an NTFS volume without an access check.

Security features such as logon authentication or file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can install a new operating system on that computer and bypass the existing operating system's security. In this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker has full access to the computer's data storage.

Only authorized users and designated data recovery agents can decrypt encrypted files. Other system accounts that have permissions for a file — even the Take Ownership permission — cannot open the file without authorization. Even the administrator account cannot open the file if that account is not designated as a data recovery agent. If an unauthorized user tries to open an encrypted file, access is denied.

Benefits of EFS

EFS allows users to store confidential information about a computer when people who have physical access to your computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting up a different operating system. An attacker can also steal a computer, remove the hard drive(s), place the drive(s) in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.

Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users open a file, it is decrypted by EFS as data is read from disk. When they save the file, EFS encrypts the data as it is written to disk. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do.

In its default configuration, EFS enables users to start encrypting files from My Computer with no administrative effort. From the user's point of view, encrypting a file is simply a matter of setting a file attribute. The encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is automatically encrypted.

How EFS Works

1. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user's public key, and the encrypted FEK is then stored with the file.
2. Files can be marked for encryption in a variety of ways. The user can set the encryption attribute for a file by using Advanced Properties for the file in My Computer, by storing the file in a file folder set for encryption, or by using the Cipher.exe command-line utility. EFS can also be configured so that users can encrypt or decrypt a file from the shortcut menu accessed by right- clicking the file.
3. To decrypt files, the user opens the file, removes the encryption attribute, or decrypts the file by using the cipher command. EFS decrypts the FEK by using the user's private key, and then decrypts the data by using the FEK.

There are three typical scenarios of AEFSDR usage:

· You want to decrypt files from the disk(s) you boot operating system from, and you have Administrator privileges in the system. However, some certificates are corrupted (and so "standard" methods available in the operating system don't work), or some files have been encrypted by other users (and their passwords are not known).
· For some reason, you cannot load operating system, or you don't have Administrator privileges in it.
· You have got a disk (with encrypted files) from an 'alien' system.

In the first case, no additional steps (prior to AEFSDR installation and usage) are requited. If you cannot boot from the disk with encrypted files, simply install it as an additional one to any system with Windows NT/2000/XP installed, where you have Administrator privileges (in the second case, you will have to detach the disk from the 'dead' system, of course).

Now you can use AEFSDR. The program does the following:
· Decrypts (tries to decrypt) private keys – all ones that are available in the system.
· Find decrypted files on selected partition(s), and decrypt (try to decrypt) their File Encryption Keys.
· Decrypt files using FEKs using keys received at the previous steps.

Wizard mode guides you through all the steps described in How EFS works section. Typically, they are:
· Select logical disk(s) to scan for keys (by default, all disks are checked)
· Add user name(s) and password(s) to decrypt the keys
· Select logical disk(s) to scan for encrypted files (by default, all NTFS disks are checked)
· Select files to decrypt

At any time, you can switch to Expert mode by pressing the button on wizard screen; your current results (the keys or files that have been found) will not be lost. And/or you can uncheck the Show wizard at startup option when wizard is already running – that will not terminate the wizard itself, but next time the program will start in Expert mode.

Press Back and Next buttons to navies through wizard; for example, you may wish to return to one of the previous steps to scan another disk (the one that has not been scanned yet) for keys or files, or add additional passwords if some/all keys have not been decrypted.

Always start using the program with scanning for encryption keys. At EFS related files tab, press Scan for keys button (or select Scan | Scan for keys menu item; or press Scan for keys button on toolbar); the program will show the list of (local) logical disks, along with their sizes and file systems

Here, you have to select the boot disk, i.e. the one operating system is (was) loading from, and so where system Registry and encryption keys are located. In some cases, however, encryption keys are located on other disk, so if you're not sure, you can check multiple disks for scanning.

Note the Hide scanning disks option at the bottom – if it is enabled (default) and you already scanned some disk(s) during current program session, these disk(s) will not be shown in that window as far as all keys from there have been already found. If you still wish to see (and select from) all the disks available in the system, uncheck this option.

On pressing the Select button, the program will scan the given disk(s) trying to find all files needed for further decryption of your data

SYSKEY protection

The most-frequent reason for inability to decrypt the keys is SYSKEY protection. It is a feature of Windows 2000/XP that uses a startup key to encrypt the Security Accounts Manager, the repository of password information (used by AEFSDR to decrypt the encryption keys). There are three possible SYSKEY options:

Password Startup. The password is needed to unlock the startup key each time when computer is started.

Store Startup Key On Floppy Disk. SYSKEY generates a new startup key and stores it on a floppy disk. This floppy disk is inserted each time when you start the computer.

Store Startup Key Locally. This is the default setting. By storing the startup key on the local hard disk, Windows can access it during startup without further intervention.

AEFSDR should work just fine if last (default) option has been used in a system you got the disk (with encrypted files) from. But if Startup Key is (was) stored on floppy disk, or Password Startup was selected, the program simply will not be able to decrypt some keys.

A workaround exists, however – if you know the (logon) password of user who encrypted the file(s), or the password of Recovery Agent. Press Add user password button, and enter the user name and password; please note that you can add more than one name/password, and after adding each one, AEFSDR will try to decrypt all keys listed on that tab – on success, the color will change from red to green. Alternatively, you can use Add password from dictionary option, and load the password lists from the text file. That file should contain only the passwords, one per line, without user names (which do not actually matter). It is not recommended to use large wordlists (more than a few hundred entries), especially on Windows XP or Windows Server 2003, as far as it will really slow down the decryption.

Alternatively, if you have the floppy disk with startup key, or know the startup password, you can also add them to the program by pressing the Add SYSKEY button. You can add multiple passwords or keys using that feature (but one at a time). Please note, however, that after adding SYSKEY you will have to re-scan for encryption keys.

Password has been changed after encryption

After you change your domain password, you may receive an error message when you try to gain access to protected data. This problem occurs because the protected data is encrypted using a hash that is based on your password. When you change your password on the domain, the data is not re-encrypted with the new password until you first access the data. If you try to access the data for the first time while you are disconnected from the domain, the domain controller cannot be contacted. Therefore, the data cannot be accessed and re-encrypted with the new password.

The recovery policy provides for a person to be designated as the recovery agent. A default local recovery policy is automatically created when an administrator account logs on to the computer for the first time. When this process occurs, that administrator becomes the default recovery agent. In some situations, the first administrator to log on to Windows 2000 is not the local administrator account.

If local administrator is the default recovery agent for your data, AEFSDR will work properly. If not (as described in the article mentioned above), you will have to add user passwords to decrypt the keys (see above).

Windows XP, Windows XP SP1, Windows XP SP2, Windows Server 2003

For files encrypted on Windows XP, SYSKEY mode does not matter at all – encryption keys don't rely on SYSKEY. That means that for XP-encrypted files you always have to add password(s) of users who encrypted the files, or Recovery Agent(s).

Backup/restore decrypted keys

When/if encryption keys (and other EFS-related data) have been found and decrypted by the program, it is recommended to save them for the future use – to avoid scanning the disk again, or just for the case if some data will be tampered. Press Backup data button in AEFSDR, and select the file name to save what you have recovered. When you will use AEFSDR the next time, you'll be able to get all the keys by pressing Restore data button, instead of scanning the disk again, adding user passwords etc.

When all the keys (or at least some of them) have been found and decrypted, you're ready to decrypt your data, i.e. files. If you already know what particular files are encrypted and where they're located, skip this step and go directly to Browse for encrypted files chapter.

Otherwise, switch to Encrypted files tab in AEFSDR. There, press Scan for encrypted files button (or select Scan | Scan for encrypted files menu item; or press Scan for encrypted files button on toolbar); the program will prompt you to select the disk(s) where to look for encrypted files – about the same way as when you scanned the disk for encryption keys, but only NTFS disks will be listed there (because Encrypting File System is available on NTFS only).

Check all disks you want to scan, and press Start Scan button. Please note that if selected disks is large and there are many files on them, this process may take a several minutes or even hours. Once the program finds the encrypted files, it immediately adds it to the main window, and at the end of scanning, you should get a complete list of encrypted files: file name (with full path), size in bytes, modification date.

The last column (User) looks like the following:

John Doe, RA: Ivan Ivanov

First name ("John Doe" in this example) is the name of the user who encrypted the file; and the names after RA are Recovery Agents ("Ivan Ivanov"), if ones exist.

Same as for encryption keys, all files in this list will be marked with green or red color – depending on whether the file can be decrypted or not (the counter is also there – in brackets). If some files (the ones you need) cannot be decrypted, you have to scan for encryption keys again (e.g. the different partition; and/or add user passwords or SYSKEY). For files encrypted on Windows XP, you always have to add user passwords – otherwise, the keys (and so the files) cannot be decrypted at all.

When all encrypted files have been found, you can decrypt them. In addition to number of Decryptable and Not decryptable files, the program also shows the total size of files selected for decryption.

If you already know where the encryption files are (and what are their names), switch to File tree tab in the program. It looks like standard Windows Explorer window: the disk/folder tree is at the left (note: only NTFS partitions are listed), and the right pane shows the list of files in selected folder.

When you change/select the folder at the left, AEFSDR starts to fill the right pane with file names. Encrypted files are being marked with the blue color first, and the program starts analyzing (in the background) whether these files can be decrypted or not using the keys that have been recovered, marks them with green or red color, respectively. Select the one to be decrypted and press Add file into list button – and the given file will be added to list at Encrypted files tab. Repeat this step for all the files you need, and you're ready for decryption.

Note: when you access this tab (File Tree) at the first time after starting the program, the program may "freeze" for a few seconds – this is normal. It just enumerates all logical disks is the system, analyses the file systems and builds the folders/files tree. However, if the program still will not respond after a few minutes, please terminate it (using Task Manager, called via CTRL-ALT-DEL), restart, turn logging on (see Program options for details), switch to File Tree tab again and terminate. Log file will be created; send it to us (the log file can be large, so compress it with ZIP or RAR before sending, please) and we'll investigate the problem and do our best to provide you with a quick fix.

Once you have a complete list of encrypted files (created as described in Scan for encrypted files and Browse for encrypted files chapters) – of course, after the keys have been successfully recovered – you can start the decryption process.

First, you have to select the files to be decrypted – at Encrypted files tab. All files listed there have check boxes at the left of the names, and you have to mark ones for further decryption. You can do that one-by-one, or use Select all, Unselect all and Reverse selection buttons in the right-bottom corner of the window. As noted in the previous chapters, only files with green color can be decrypted, and so the program will not allow you to select the red ones. You can also use Remove from list button to remove selected file(s) from that page.

When files are selected, press Decrypt button at the right (or Decrypt files button on toolbar). AEFSDR will prompt you for the disk/folder to save the file to. Under that folder, the program creates sub-folders with names like AEFSDR_X_DECRYPTED, where 'X' is the drive letter for partition you're decrypting the files from; the complete path (where the source file was located) will be reconstructed under this (AEFSDR) subfolder. Decryption itself is relatively slow process, so please be patient (the program will show the progress bar and the names of the files being decrypted).

It is strongly recommended to save (decrypt) files to NTFS partition only. Simply because FAT and FAT32 partitions have many limitations (compared to NTFS), and so saving some particular files to non-NTFS partition may fail or give unexpected result.

Note: an unregistered (trial) version of AEFSDR decrypts only first 512 bytes of all files, padding the rest of content with zeros (look at Registration to learn how to get the fully functional version). But even in full version, please verify that all files have been decrypted successfully, before deleting the original (encrypted) files.

Log file

Use this option if something goes wrong – e.g. the program fails to scan selected partition, or some files have not been decrypted, etc. Simply type an appropriate file name (you can use the Browse button) to save debug information to, and one of the following options from the combo box:

· Disabled

· Overwrite the existing file

· Overwrite the existing file (Debug)

· Append to the existing file

· Append to the existing file (Debug)



Our technical support may ask you to send us the log file to locate and fix the problems. Debug log is much more detailed (and so more useful when the problem is hard to fix), but it can be really large (up to a few megabytes).

You can also force debug mode by using -debug_log command-line switch, by running the program as:

aefsdr.exe -debug_log

In that case, aefsdr.log file will be created in the root folder of disk C. That could be useful if the program does not even start on your machine: run it as described above, and send us the log file so we will be able to locate and fix the problem.

You can also set the maximum size of log file (in megabytes) – on reaching the limit, the program will stop writing to it. Set this option to zero if you don't want any limitations.

Process priority

You can switch between High, Normal, and Low. Recommended setting is Normal, but if you want to run the program as a "background" process, which will work only when the CPU is in an idle state, you can select Low. If you want to increase AEFSDR performance to the maximum, select High, but be aware that this will decrease the performance of *all other* applications running on your computer.

Use simple passwords to decrypt master keys

If this option is enabled, AEFSDR tries to decrypt the master keys using 80+ commonly-used passwords. For files encrypted on Windows 2000, it almost does not affect the performance; for XP/2003, however, the process of decrypting the keys runs much slower, especially when there are many users in the system.

Show wizard at startup

If enabled (default), the program always starts in Wizard mode. To start the program in Expert mode (and follow all the steps manually: Scan for Encryption keys etc), uncheck this option.


Home page URL : http://www.elcomsoft.com/aefsdr.html

0 comments:

Related Posts Plugin for WordPress, Blogger...