Security Basics mailing list archives

RE: Decrypt File

From: "Jason Normanton" <netprouk () netprouk com>
Date: Sat, 17 May 2003 20:45:43 +0100

Hi guys,
                There is a way around this with EFS if you have
"accidentally" reinstalled the machine without saving the recovery agent. I
have had to save lots of data this way :

For a non domain or domain member system:

1 if o/s has been re-installed re-boot machine into safe mode
2 in properties for the encrypted data re-assign the new local admin account
certificate to the files as the recovery agent and take ownership of the
files
3 reboot the machine as normal the data will now be recoverable from the
admin account.

Regards,

Jason Normanton
Senior Consultant (Directory Services Security)
http://www.Netprouk.com

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: 15 May 2003 20:22
To: 'James Yang'; security-basics () securityfocus com

-----Original Message-----
From: James Yang [mailto:guanghuyang () yahoo com cn]
Sent: May 14, 2003 20:39
To: security-basics () securityfocus com
Subject: Decrypt File

   My system occurred problem yesterday. I backuped my files 
and then  reinstalled my W2K system. After I copied back my 
files I found I couldn't  open the encrypted files.     How 
can I open, could anyone give me a tip.     Thanks.


  I'm assuming that by "encrypted" you mean you've been using
EFS (Encrypted File System), and that by "reinstalled" you mean
something like "did a clean format and brand new installation".

  EFS files can be decrypted and re-encrypted by the owner, or
decrypted (only) by a designated recovery agent -- by default,
the administrator account.
  If you did a clean installation, the new installation has its
own administrator account and (probably) personal account for 
you.  None of the accounts from the previous installation exists
any more.

  I recommend, when people ask me, that EFS only be used in a
*domain* context.  That way, the default recovery agent is the 
domain administrator account, which will survive reinstalls of 
individual client machines, and even (if there are multiple 
domain controllers) reinstalls of any single domain controller.
  I do not recommend its use on single stand-alone machines,
because if neither the owner nor recovery agent account exists
any more, your third alternative is to try to convince the FBI
that Al Qaeda has hidden data in your encrypted files -- allegedly
they've cracked EFS (although I suspect that what they actually
did in Afghanistan was crack the administrator password, and that
won't help you now).

David Gillett



---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point,
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------

Current thread:

Decrypt File James Yang (May 15)
- RE: Decrypt File Sarbjit Singh Gill (May 16)
- RE: Decrypt File Jim Barrett (May 16)
  - Re: Decrypt File Brian Nottle (May 17)
    - RE: Decrypt File Jim Barrett (May 19)
- RE: [tech] Decrypt File Wayne Maples (May 16)
- RE: Decrypt File David Gillett (May 16)
  - RE: Decrypt File Jason Normanton (May 19)
- <Possible follow-ups>
- RE: Decrypt File Martijn Dunnebier (May 16)