I Lost My Encrypted Data! What Now?
What should you do if your system fails?
When the connection between the operating system and the keys physically located on the disk is lost, access to EFS-encrypted data is typically lost. Do not give up in this situation; there is a solution. There is a good chance that access to the data can be restored.
However, if the keys were deleted from the disk and no backup copy of the user profile or the user’s certificates was made, the data is unrecoverable.
In practice, even the export/import of the profile or certificates has proven to be effective:
The keys do appear again.
Scheme for Data Encryption
Once direct access to the disk has been obtained, the next step – directly decrypting and restoring the data – is possible. This can be accomplished using the following strategy:
1. Locate and attempt to decrypt all keys on the problem computer’s hard drive.
2. Look for encrypted files on your hard drive and attempt to decrypt them.
The Advanced EFS Data Recovery tool is one of the most effective tools for decrypting EFS-protected data. It can decrypt data on a problematic computer even if some of the user key records are corrupted.
The capabilities and features of Advanced EFS Data Recovery are detailed below.
EFS Data Recovery (AEFSDR) is a specialized software program that can decrypt files encrypted with EFS technology in Microsoft Windows 2000 and Windows XP, Windows 2003 Server, and the new Windows Vista environments.
This software tool can decrypt files in record time, even if the system is not loaded or some of the encryption key records are corrupted.
Even if the system user database is protected with SYSKEY, Advanced EFS Data Recovery can decrypt the files. All files in Windows 2000 can be decrypted even if the administrator and user passwords are unknown.
Advanced EFS Data Recovery works in two steps:
The first step is to locate and decrypt all EFS keys (private and master). The first step is to decrypt at least one key, which will be used to decrypt the remaining files. In Windows XP and later, this may necessitate entering the user password or the Recovery Agent password into AEFSDR, which was used to encrypt the files. The program first tries to do this automatically, such as extracting the password from cache or system files, checking simple combinations (such as password=username), and then conducting an attack using a medium-sized built-in dictionary.
Locate and decrypt all EFS keys as the first step (private and master). The first step is to decrypt at least one key, which will then be used to decrypt the rest of the files. This may require entering the user password or the Recovery Agent password into AEFSDR, which was used to encrypt the files, in Windows XP and later. The program first attempts to do this automatically by extracting the password from cache or system files, checking simple combinations (such as password=username), and then conducting an attack using a medium-sized built-in dictionary.
Because the file decryption process can take a long time, one of the main benefits of Advanced EFS Data Recovery is the ability to manage the system load. The user can select one of three load levels: High, Normal, or Low.
Another noteworthy feature is that Advanced EFS Data Recovery fully supports Microsoft’s latest Windows Vista operating system as well as Windows Server 2008.
Finally, it is critical to discuss the effectiveness of the product in question, i.e. the likelihood of successful data decryption. ElcomSoft experts estimate that Advanced EFS Data Recovery can successfully restore up to 99 percent of EFS-encrypted data if the user keys are recovered, which is a very high success rate.
