Author Topic: Decrypting NTFS  (Read 9944 times)

0 Members and 5 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Decrypting NTFS
« on: April 12, 2006, 11:23:59 pm »
I'm having a problem with my sister's computer.  Remember it?

I put her harddrive into another computer.  I need to recover her files.  However, they are encrypted with NTFS's encryption.  I have (well, I cracked.. same thing, really) her passwords, so that's not an issue.  However, I can't figure out how to get them decrypted.

I was looking at ntfsdecrypt, which you can get with Linux.  However, it requires a key which you can only get by running a program (cipher.exe) on the system with the encrypted files.  I booted with Windows XP's recovery console, but it doesn't allow you to run programs so I can't run that stupid cipher.exe. 

I also can't find a program which can just decrypt the files using a password. 

Any idea how I can retrieve the files?  I know that Encase Forensic Suite can, but I don't have $1000's of dollars.  Anything else?

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Decrypting NTFS
« Reply #1 on: April 12, 2006, 11:27:26 pm »
Did you try running cipher.exe with wine?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #2 on: April 13, 2006, 10:31:39 am »
Yeah, it needs to do fancy stuff or something..

Offline Eric

  • Full Member
  • ***
  • Posts: 304
  • I'm new here!
    • View Profile
Re: Decrypting NTFS
« Reply #3 on: April 13, 2006, 10:44:41 am »
NTFS uses both symmetric and public key encryptions.  You can't access the file simply by obtaining the user's password.  If the keys are no longer present on the system or have somehow changed (I *think* that password changes affect the keys), then you're out of luck.  Why not just boot into Windows and decrypt them through the standard Windows utility?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #4 on: April 13, 2006, 11:54:22 am »
I'm aware of how NTFS encryption works, I've done forensic work with it.  What I don't have is software that can read the encrypted files given the password or software that can generate the key. 

The Windows installation is corrupt, I've tried everything I can think of to fix it.  It won't boot past the POST (it just restarts as soon as it's done POSTing). 

I can boot Linux or BSD or Windows Recovery Console, but I haven't been able to find anything useful with those. 

If I was to reinstall Windows without formatting the harddrive, would the new version be able to access the encrypted files?  Or would reinstalling Windows kill the key forever? 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #5 on: April 13, 2006, 01:22:54 pm »
If I was to reinstall Windows without formatting the harddrive, would the new version be able to access the encrypted files?  Or would reinstalling Windows kill the key forever? 
It shouldn't kill the key forever; installing Windows over Windows with a clean install usually ends up renaming the old Windows directories.

I believe the keys are stored in one of the super-secret files like ntuser.dat (along with the HKCU hive) but I don't have hard evidence to back that up.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #6 on: April 13, 2006, 02:49:11 pm »
But it also won't help me get the files back, then?  I don't care about re-installing Windows, really, as far as I'm concerned this harddrive can be smashed once I get the files off.  The important part is, how do I get the files off?

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #7 on: April 13, 2006, 03:41:44 pm »
But it also won't help me get the files back, then?  I don't care about re-installing Windows, really, as far as I'm concerned this harddrive can be smashed once I get the files off.  The important part is, how do I get the files off?

According to this website, crypto key files are stored on the hard drive in %USER_PROFILE%\Application Data\Microsoft\Crypto\RSA\{SID}, and the master key encryption key (I guess it's the encryption key itself is encrypted based on password) is in %USER_PROFILE%\Application Data\Microsoft\Protect\{SID}.  I am not sure how to read them, but that should be a good place to start.

I looked in Windows in the \Protect folder and the files are superhidden (blocked by Explorer from being shown), but they're there:
Code: [Select]
C:\Documents and Settings\robp.MINNOW\Application Data\Microsoft\Protect\S-1-5-U-
DONT-GET-MY-SID>dir /a
 Volume in drive C has no label.
 Volume Serial Number is 201B-D49E

 Directory of C:\Documents and Settings\robp.MINNOW\Application Data\Microsoft\P
rotect\S-1-5-21-2111718058-1947696944-1100554965-4315

03/20/2006  04:17 PM    <DIR>          .
03/20/2006  04:17 PM    <DIR>          ..
10/28/2004  04:45 PM               368 05e99ebc-f24c-4b49-ab70-259ccd2bf36a
12/19/2005  08:46 AM               664 52275396-bff1-4519-b3f9-e585eaa76c63
12/19/2005  08:46 AM               664 751bf8bb-7ed3-4dda-b478-c47dcdcd04e6
03/20/2006  04:17 PM               368 879909aa-f7eb-4a77-94c6-7a923b284152
07/15/2004  04:22 PM               368 94b13aed-69e1-4434-bfd5-4dbf1065953c
12/19/2005  08:46 AM               664 9d9c1df5-07e4-4271-9ede-c51a7b794120
12/19/2005  08:46 AM               664 a1999b05-32ef-4adb-970d-5c4c5c1e554a
03/20/2006  04:17 PM                24 Preferred
               8 File(s)          3,784 bytes
               2 Dir(s)  26,538,336,256 bytes free
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #8 on: April 13, 2006, 03:43:25 pm »
By the way: several good-looking prospects come up with a search.  You know.... ;)
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #9 on: April 13, 2006, 05:11:02 pm »
By the way: several good-looking prospects come up with a search.  You know.... ;)

I did a search similar to that, but found nothing useful. 

This article looks useful, but it's painful to read.  He needs to take a class on how to write. :/

I'm plodding through it, though, with my fingers crossed

<edit> Nope, not useful.  But I'll keep looking..

<edit2> Why do all Windows tools have to cost money?  God I hate the mindset of Windows developers :(
« Last Edit: April 13, 2006, 05:39:33 pm by iago »

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Decrypting NTFS
« Reply #10 on: April 13, 2006, 05:40:39 pm »
They've gotta pay off their debt for Visual Studio. =P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #11 on: April 13, 2006, 05:56:42 pm »
Losers :P

I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...

I really wish I knew why the broken computer wouldn't boot, though.  An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc.  Does anybody know a way to figure out what's wrong? 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #12 on: April 13, 2006, 05:58:07 pm »
Losers :P

I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...

I really wish I knew why the broken computer wouldn't boot, though.  An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc.  Does anybody know a way to figure out what's wrong? 

Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up.  Enable Safe Mode with Boot Logging.  See if it still reboots.  If not, then you've got a problem device driver.  If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #13 on: April 13, 2006, 06:49:59 pm »
Losers :P

I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...

I really wish I knew why the broken computer wouldn't boot, though.  An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc.  Does anybody know a way to figure out what's wrong? 

Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up.  Enable Safe Mode with Boot Logging.  See if it still reboots.  If not, then you've got a problem device driver.  If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.

Ooh, I forgot, I could get into the boot menu.  I'll try safemode with logging after I finish virusscanning the drive. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #14 on: April 14, 2006, 12:46:39 pm »
Hmm, the boot menu doesn't give me the option to log?

I get:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration (which doesn't work)
Start Windows Normally

Any idea how to make it show up?