I'm having a problem with my sister's computer. Remember it?
I put her harddrive into another computer. I need to recover her files. However, they are encrypted with NTFS's encryption. I have (well, I cracked.. same thing, really) her passwords, so that's not an issue. However, I can't figure out how to get them decrypted.
I was looking at ntfsdecrypt, which you can get with Linux. However, it requires a key which you can only get by running a program (cipher.exe) on the system with the encrypted files. I booted with Windows XP's recovery console, but it doesn't allow you to run programs so I can't run that stupid cipher.exe.
I also can't find a program which can just decrypt the files using a password.
Any idea how I can retrieve the files? I know that Encase Forensic Suite can, but I don't have $1000's of dollars. Anything else?
Did you try running cipher.exe with wine?
Yeah, it needs to do fancy stuff or something..
NTFS uses both symmetric and public key encryptions. You can't access the file simply by obtaining the user's password. If the keys are no longer present on the system or have somehow changed (I *think* that password changes affect the keys), then you're out of luck. Why not just boot into Windows and decrypt them through the standard Windows utility?
I'm aware of how NTFS encryption works, I've done forensic work with it. What I don't have is software that can read the encrypted files given the password or software that can generate the key.
The Windows installation is corrupt, I've tried everything I can think of to fix it. It won't boot past the POST (it just restarts as soon as it's done POSTing).
I can boot Linux or BSD or Windows Recovery Console, but I haven't been able to find anything useful with those.
If I was to reinstall Windows without formatting the harddrive, would the new version be able to access the encrypted files? Or would reinstalling Windows kill the key forever?
Quote from: iago on April 13, 2006, 11:54:22 AM
If I was to reinstall Windows without formatting the harddrive, would the new version be able to access the encrypted files? Or would reinstalling Windows kill the key forever?
It shouldn't kill the key forever; installing Windows over Windows with a clean install usually ends up renaming the old Windows directories.
I believe the keys are stored in one of the super-secret files like ntuser.dat (along with the HKCU hive) but I don't have hard evidence to back that up.
But it also won't help me get the files back, then? I don't care about re-installing Windows, really, as far as I'm concerned this harddrive can be smashed once I get the files off. The important part is, how do I get the files off?
Quote from: iago on April 13, 2006, 02:49:11 PM
But it also won't help me get the files back, then? I don't care about re-installing Windows, really, as far as I'm concerned this harddrive can be smashed once I get the files off. The important part is, how do I get the files off?
According to this website (http://www.ntfs.com/issues-encrypted-files.htm), crypto key files are stored on the hard drive in %USER_PROFILE%\Application Data\Microsoft\Crypto\RSA\{SID}, and the master key encryption key (I guess it's the encryption key itself is encrypted based on password) is in %USER_PROFILE%\Application Data\Microsoft\Protect\{SID}. I am not sure how to read them, but that should be a good place to start.
I looked in Windows in the \Protect folder and the files are superhidden (blocked by Explorer from being shown), but they're there:
C:\Documents and Settings\robp.MINNOW\Application Data\Microsoft\Protect\S-1-5-U-
DONT-GET-MY-SID>dir /a
Volume in drive C has no label.
Volume Serial Number is 201B-D49E
Directory of C:\Documents and Settings\robp.MINNOW\Application Data\Microsoft\P
rotect\S-1-5-21-2111718058-1947696944-1100554965-4315
03/20/2006 04:17 PM <DIR> .
03/20/2006 04:17 PM <DIR> ..
10/28/2004 04:45 PM 368 05e99ebc-f24c-4b49-ab70-259ccd2bf36a
12/19/2005 08:46 AM 664 52275396-bff1-4519-b3f9-e585eaa76c63
12/19/2005 08:46 AM 664 751bf8bb-7ed3-4dda-b478-c47dcdcd04e6
03/20/2006 04:17 PM 368 879909aa-f7eb-4a77-94c6-7a923b284152
07/15/2004 04:22 PM 368 94b13aed-69e1-4434-bfd5-4dbf1065953c
12/19/2005 08:46 AM 664 9d9c1df5-07e4-4271-9ede-c51a7b794120
12/19/2005 08:46 AM 664 a1999b05-32ef-4adb-970d-5c4c5c1e554a
03/20/2006 04:17 PM 24 Preferred
8 File(s) 3,784 bytes
2 Dir(s) 26,538,336,256 bytes free
By the way: several good-looking prospects come up with a search (http://www.google.com/search?hl=en&q=recover+encrypted+NTFS+files). You know.... ;)
Quote from: MyndFyrex86] link=topic=5549.msg64972#msg64972 date=1144957405]
By the way: several good-looking prospects come up with a search (http://www.google.com/search?hl=en&q=recover+encrypted+NTFS+files). You know.... ;)
I did a search similar to that, but found nothing useful.
This article (http://www.brienposey.com/kb/recovering_encrypted_data.asp) looks useful, but it's painful to read. He needs to take a class on how to write. :/
I'm plodding through it, though, with my fingers crossed
<edit> Nope, not useful. But I'll keep looking..
<edit2> Why do all Windows tools have to cost money? God I hate the mindset of Windows developers :(
They've gotta pay off their debt for Visual Studio. =P
Losers :P
I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...
I really wish I knew why the broken computer wouldn't boot, though. An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc. Does anybody know a way to figure out what's wrong?
Quote from: iago on April 13, 2006, 05:56:42 PM
Losers :P
I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...
I really wish I knew why the broken computer wouldn't boot, though. An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc. Does anybody know a way to figure out what's wrong?
Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up. Enable Safe Mode with Boot Logging. See if it still reboots. If not, then you've got a problem device driver. If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.
Quote from: MyndFyrex86] link=topic=5549.msg64991#msg64991 date=1144965487]
Quote from: iago on April 13, 2006, 05:56:42 PM
Losers :P
I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...
I really wish I knew why the broken computer wouldn't boot, though. An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc. Does anybody know a way to figure out what's wrong?
Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up. Enable Safe Mode with Boot Logging. See if it still reboots. If not, then you've got a problem device driver. If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.
Ooh, I forgot, I could get into the boot menu. I'll try safemode with logging after I finish virusscanning the drive.
Hmm, the boot menu doesn't give me the option to log?
I get:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration (which doesn't work)
Start Windows Normally
Any idea how to make it show up?
Does Safe Mode work? If not then just re-install windows like someone already suggested.
The boot menu's never given me an option to log.
Quote from: Nate on April 14, 2006, 01:49:59 PM
Does Safe Mode work? If not then just re-install windows like someone already suggested.
No.
I'm the one who suggested re-installing. But won't that hose my encryption keys? I don't care about getting Windows back, as far as I'm concerned I can smashify this harddrive once I get the files off. But I just want the files.
Quote from: MyndFyrex86] link=topic=5549.msg64991#msg64991 date=1144965487]
Quote from: iago on April 13, 2006, 05:56:42 PM
Losers :P
I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...
I really wish I knew why the broken computer wouldn't boot, though. An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc. Does anybody know a way to figure out what's wrong?
Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up. Enable Safe Mode with Boot Logging. See if it still reboots. If not, then you've got a problem device driver. If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.
Ok, I got logging enabled. But there is no such file in any of those folders (yes, I enabled hidden files, and yes, I searched the entire harddrive).
Any other ides?
Quote from: iago on April 14, 2006, 03:43:32 PM
Quote from: MyndFyrex86] link=topic=5549.msg64991#msg64991 date=1144965487]
Quote from: iago on April 13, 2006, 05:56:42 PM
Losers :P
I had another idea, I wonder if I can replace the system files on the broken computer with files from a good computer and they'll work...
I really wish I knew why the broken computer wouldn't boot, though. An error message or log or something would be handy, but all I know is that, when Windows is installed, it posts then reboots, posts then reboots, etc. Does anybody know a way to figure out what's wrong?
Boot it, after POSTing repeatedly press F8 until the safe boot menu pops up. Enable Safe Mode with Boot Logging. See if it still reboots. If not, then you've got a problem device driver. If so, then send me the file bootlog.txt which is in either c:\, c:\windows, or c:\windows\system32.
Ok, I got logging enabled. But there is no such file in any of those folders (yes, I enabled hidden files, and yes, I searched the entire harddrive).
Any other ides?
If you can boot it up, just recover the files? Or no booting at all?
Edit: my bad:
Enable Boot Logging
Starts while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.
Quote from: MyndFyrex86] link=topic=5549.msg65210#msg65210 date=1145054008]
Enable Boot Logging
Starts while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.
That doesn't exist either. I searched the harddrive for "*nt*log*" just to be safe, including hidden/system files.
And I can't boot it up, I'm making it a slave drive.
Any other ideas? I'm about ready to give up and put the harddrive in storage ("limbo") until I think of something else or get access to forensic software again. :-/
Quote from: iago on April 21, 2006, 12:35:37 PM
Quote from: MyndFyrex86] link=topic=5549.msg65210#msg65210 date=1145054008]
Enable Boot Logging
Starts while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.
That doesn't exist either. I searched the harddrive for "*nt*log*" just to be safe, including hidden/system files.
And I can't boot it up, I'm making it a slave drive.
Any other ideas? I'm about ready to give up and put the harddrive in storage ("limbo") until I think of something else or get access to forensic software again. :-/
Some computers come with repair disks, which just replace the essential files for the OS and don't tamper with any others.
Nope, I manually installed Windows XP.
Quote from: iago on April 21, 2006, 01:28:04 PM
Nope, I manually installed Windows XP.
Did you do a repair install over the drive?
Boot from the CD and select that you want to install, go through the options and it should detect your sister's XP system. Tell it that you want to install to that path, and it will ask if you want to do a clean setup or repair. Do repair.
Quote from: MyndFyrex86] link=topic=5549.msg66153#msg66153 date=1145641335]
Quote from: iago on April 21, 2006, 01:28:04 PM
Nope, I manually installed Windows XP.
Did you do a repair install over the drive?
Boot from the CD and select that you want to install, go through the options and it should detect your sister's XP system. Tell it that you want to install to that path, and it will ask if you want to do a clean setup or repair. Do repair.
You're positive that that won't blow out any accounts? That's why I've been avoiding doing that, I'm not positive that I'll still be able to log in.
If you're reasonably sure, I'll do it. I don't have much to lose at this point.
Quote from: iago on April 21, 2006, 05:51:56 PM
Quote from: MyndFyrex86] link=topic=5549.msg66153#msg66153 date=1145641335]
Quote from: iago on April 21, 2006, 01:28:04 PM
Nope, I manually installed Windows XP.
Did you do a repair install over the drive?
Boot from the CD and select that you want to install, go through the options and it should detect your sister's XP system. Tell it that you want to install to that path, and it will ask if you want to do a clean setup or repair. Do repair.
You're positive that that won't blow out any accounts? That's why I've been avoiding doing that, I'm not positive that I'll still be able to log in.
If you're reasonably sure, I'll do it. I don't have much to lose at this point.
Repairing an installation will definitely not destroy any accounts, *unless* the accounts are already toast, which would make the matter a moot point anyway.
Quote from: MyndFyrex86] link=topic=5549.msg66203#msg66203 date=1145676402]
Repairing an installation will definitely not destroy any accounts, *unless* the accounts are already toast, which would make the matter a moot point anyway.
Yeah, the accounts are fine, as far as I can tell. I was able to view information about them and bruteforce their passwords, so at least the SAM and other stuff are intact.
I don't have access to a computer to get that going right now, unfortunately, but when I do I'll be sure to let you know how it goes.
Quote from: iago on April 14, 2006, 12:46:39 PM
Hmm, the boot menu doesn't give me the option to log?
I get:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration (which doesn't work)
Start Windows Normally
Any idea how to make it show up?
ew@ Windows XP Home
I don't know if you can with the crippled version
You -could- try using Windows XPE to boot from CD into Windows and recover whatever files you need that way. I don't know if it costs though, I've had my copy for a good 5 or 6 years.
EDIT: This (http://sourceforge.net/projects/winpe/) looks similar to what I have.
Quote from: unTactical on April 22, 2006, 02:49:49 PM
Quote from: iago on April 14, 2006, 12:46:39 PM
Hmm, the boot menu doesn't give me the option to log?
I get:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration (which doesn't work)
Start Windows Normally
Any idea how to make it show up?
ew@ Windows XP Home
I don't know if you can with the crippled version
You -could- try using Windows XPE to boot from CD into Windows and recover whatever files you need that way. I don't know if it costs though, I've had my copy for a good 5 or 6 years.
EDIT: This (http://sourceforge.net/projects/winpe/) looks similar to what I have.
Oooh, I didn't know it was Windows XP Home. You're not even supposed to have the Encrypting File System in XP Home (probably to keep home users from doing something like this). If you need I can send you an XP Pro ISO.
It's not Windows XP home, it's pro. What makes you think it's home?
Quote from: iago on April 22, 2006, 03:56:42 PM
It's not Windows XP home, it's pro. What makes you think it's home?
Oh good. You should be okay then.
You sure? I've only seen the 'crippled' startup menu choices in home...
Quote from: unTactical on April 23, 2006, 01:41:27 AM
You sure? I've only seen the 'crippled' startup menu choices in home...
What are the "crippled" startup choices that you speak of?
I'm very sure.
That's the menu that comes up if I don't press F8 in time, if the boot fails. If I hit F8, I get a screenful of options.
I just realized that I missed the entire 2nd page of posts....so yea, that's why my replies don't make sense :) Carry on...
I'm terribly sorry for bumping this if this answer means nothing, but I was just looking over "the" Linux NTFS wrapper's website and it said it had a utility for decrypting encrypted NTFS
http://www.linux-ntfs.org :
QuoteDecrypting files: ntfsdecrypt is a new tool for decrypting NTFS encrypted files. Mostly stable, but needs a patched gnutls library
Yeah, I think I mentioned that I read that. You need a file from Windows to use that though, which requires the Cipher.exe program. But I couldn't run Cipher.exe. Unless I missed anything.
Quote from: iago on April 27, 2006, 09:24:22 PM
Yeah, I think I mentioned that I read that. You need a file from Windows to use that though, which requires the Cipher.exe program. But I couldn't run Cipher.exe. Unless I missed anything.
Oops, sorry. I must have missed it.
Quote from: iago on April 27, 2006, 09:24:22 PM
Yeah, I think I mentioned that I read that. You need a file from Windows to use that though, which requires the Cipher.exe program. But I couldn't run Cipher.exe. Unless I missed anything.
Did you ever get it fixed?
Quote from: MyndFyrex86] link=topic=5549.msg66862#msg66862 date=1146188682]
Quote from: iago on April 27, 2006, 09:24:22 PM
Yeah, I think I mentioned that I read that. You need a file from Windows to use that though, which requires the Cipher.exe program. But I couldn't run Cipher.exe. Unless I missed anything.
Did you ever get it fixed?
I don't have access to a computer right now, so I have no way of booting it. I'll post here once I do, for sure.