Author Topic: Decrypting NTFS  (Read 9710 times)

0 Members and 11 Guests are viewing this topic.

Offline Nate

  • Full Member
  • ***
  • Posts: 425
  • You all suck
    • View Profile
Re: Decrypting NTFS
« Reply #15 on: April 14, 2006, 01:49:59 pm »
Does Safe Mode work? If not then just re-install windows like someone already suggested.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Decrypting NTFS
« Reply #16 on: April 14, 2006, 02:11:43 pm »
The boot menu's never given me an option to log.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #17 on: April 14, 2006, 03:39:42 pm »
Does Safe Mode work? If not then just re-install windows like someone already suggested.

No. 

I'm the one who suggested re-installing.  But won't that hose my encryption keys?  I don't care about getting Windows back, as far as I'm concerned I can smashify this harddrive once I get the files off.  But I just want the files. 


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #18 on: April 14, 2006, 03:43:32 pm »
Losers :P

I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...

I really wish I knew why the broken computer wouldn't boot, though.  An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc.  Does anybody know a way to figure out what's wrong? 

Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up.  Enable Safe Mode with Boot Logging.  See if it still reboots.  If not, then you've got a problem device driver.  If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.

Ok, I got logging enabled.  But there is no such file in any of those folders (yes, I enabled hidden files, and yes, I searched the entire harddrive). 

Any other ides?

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #19 on: April 14, 2006, 06:33:28 pm »
Losers :P

I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...

I really wish I knew why the broken computer wouldn't boot, though.  An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc.  Does anybody know a way to figure out what's wrong? 

Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up.  Enable Safe Mode with Boot Logging.  See if it still reboots.  If not, then you've got a problem device driver.  If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.

Ok, I got logging enabled.  But there is no such file in any of those folders (yes, I enabled hidden files, and yes, I searched the entire harddrive). 

Any other ides?


If you can boot it up, just recover the files?  Or no booting at all?

Edit: my bad:

Enable Boot Logging

Starts while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.
« Last Edit: April 14, 2006, 06:35:42 pm by MyndFyre[x86] »
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #20 on: April 21, 2006, 12:35:37 pm »
Enable Boot Logging

Starts while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.
That doesn't exist either.  I searched the harddrive for "*nt*log*" just to be safe, including hidden/system files. 

And I can't boot it up, I'm making it a slave drive. 

Any other ideas? I'm about ready to give up and put the harddrive in storage ("limbo") until I think of something else or get access to forensic software again. :-/

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: Decrypting NTFS
« Reply #21 on: April 21, 2006, 01:04:29 pm »
Enable Boot Logging

Starts while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.
That doesn't exist either.  I searched the harddrive for "*nt*log*" just to be safe, including hidden/system files. 

And I can't boot it up, I'm making it a slave drive. 

Any other ideas? I'm about ready to give up and put the harddrive in storage ("limbo") until I think of something else or get access to forensic software again. :-/

Some computers come with repair disks, which just replace the essential files for the OS and don't tamper with any others.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #22 on: April 21, 2006, 01:28:04 pm »
Nope, I manually installed Windows XP. 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #23 on: April 21, 2006, 01:42:15 pm »
Nope, I manually installed Windows XP. 

Did you do a repair install over the drive?

Boot from the CD and select that you want to install, go through the options and it should detect your sister's XP system.  Tell it that you want to install to that path, and it will ask if you want to do a clean setup or repair.  Do repair.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #24 on: April 21, 2006, 05:51:56 pm »
Nope, I manually installed Windows XP. 

Did you do a repair install over the drive?

Boot from the CD and select that you want to install, go through the options and it should detect your sister's XP system.  Tell it that you want to install to that path, and it will ask if you want to do a clean setup or repair.  Do repair.

You're positive that that won't blow out any accounts?  That's why I've been avoiding doing that, I'm not positive that I'll still be able to log in. 

If you're reasonably sure, I'll do it.  I don't have much to lose at this point.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #25 on: April 21, 2006, 11:26:42 pm »
Nope, I manually installed Windows XP. 

Did you do a repair install over the drive?

Boot from the CD and select that you want to install, go through the options and it should detect your sister's XP system.  Tell it that you want to install to that path, and it will ask if you want to do a clean setup or repair.  Do repair.

You're positive that that won't blow out any accounts?  That's why I've been avoiding doing that, I'm not positive that I'll still be able to log in. 

If you're reasonably sure, I'll do it.  I don't have much to lose at this point.

Repairing an installation will definitely not destroy any accounts, *unless* the accounts are already toast, which would make the matter a moot point anyway.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #26 on: April 21, 2006, 11:50:11 pm »
Repairing an installation will definitely not destroy any accounts, *unless* the accounts are already toast, which would make the matter a moot point anyway.
Yeah, the accounts are fine, as far as I can tell.  I was able to view information about them and bruteforce their passwords, so at least the SAM and other stuff are intact. 

I don't have access to a computer to get that going right now, unfortunately, but when I do I'll be sure to let you know how it goes. 

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Decrypting NTFS
« Reply #27 on: April 22, 2006, 02:49:49 pm »
Hmm, the boot menu doesn't give me the option to log?

I get:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration (which doesn't work)
Start Windows Normally

Any idea how to make it show up?

ew@ Windows XP Home

I don't know if you can with the crippled version

You -could- try using Windows XPE to boot from CD into Windows and recover whatever files you need that way.  I don't know if it costs though, I've had my copy for a good 5 or 6 years.

EDIT: This looks similar to what I have.
« Last Edit: April 22, 2006, 02:51:41 pm by unTactical »

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Decrypting NTFS
« Reply #28 on: April 22, 2006, 02:57:51 pm »
Hmm, the boot menu doesn't give me the option to log?

I get:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration (which doesn't work)
Start Windows Normally

Any idea how to make it show up?

ew@ Windows XP Home

I don't know if you can with the crippled version

You -could- try using Windows XPE to boot from CD into Windows and recover whatever files you need that way.  I don't know if it costs though, I've had my copy for a good 5 or 6 years.

EDIT: This looks similar to what I have.

Oooh, I didn't know it was Windows XP Home.  You're not even supposed to have the Encrypting File System in XP Home (probably to keep home users from doing something like this).  If you need I can send you an XP Pro ISO.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Decrypting NTFS
« Reply #29 on: April 22, 2006, 03:56:42 pm »
It's not Windows XP home, it's pro.  What makes you think it's home?