I'm sure there's a way.

Unfortunately all my friend has left is the encrypted file. Nothing else, no recovery key, no hashes, nothing.

How can we crack this file?? What are the algorithms used in this process and how would we go about starting to crack this file?


Thanks!

First off, you might want to consider deleting your post. There are a lot of people on here that will neg you for asking how to hack something.


Second, I think you are SOL. Depending on what version of windows encrypted the file the type of encryption used will change. XP SP1 and newer along with Win2003 use AES. There is no known hack to AES. You can bruteforce it, but you will be at it for awhile.

Why would I get flamed for trying to broaden my skillsets? Cracking my own file would be a legitimate option for me. Nothing illegal, nothing taboo.

Thanks for the advice, any and all others are appreciated.


regards

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=275417#post902746) by hunterhunter
Why would I get flamed for trying to broaden my skillsets? Cracking my own file would be a legitimate option for me. Nothing illegal, nothing taboo.

Thanks for the advice, any and all others are appreciated.


regards


well to answer the first question, because we don't /know/ it is your file? You are a new poster, you have no background with this site and we only have your word that it is "legit" to go off of. I'm not going to flame or neg you, but don't be suprised if someone else does.

Anyway on to the original question, I don't know of any way to crack an EFS file other than a bruteforce (which was already mentioned)... and that is going to take hardware and a lot of time. The administrator should be a key agent though, so that account should be able to see the information.

I seriously suggest you delete this point as advised above... There are some people who will neg you for posting sh*t like that. If you want to learn and broaden your skill sets check out AO's tutorial section. I wont neg you this time but now you know.

If you legitimatly own the file you may have access to recover it as mentioned earlier. Was this file or computer on a Domain or Workgroup environment?

What happend to the server/computer that it was stored on?

A little background information will help us to help you.

Dont worry about being negged, if you are here for ligitimate reasons we will know :-)

I also recommend doing a search in AO and Google for "EFS recovery agent" this may help you understand a little about what you are up against.

Well if it is indeed your file....

Try moving the file that is encrypted with EFS, I assume its located on a NTFS partition, and move it over to a FAT32 partition.

Since FAT32 doesn't support EFS, the file should come up as unencrypted. I'm not sure if this has been fixed as of yet.

BR, that only works if you have the valid key to unencrypt the file. To successfully recover an EFS file you need to have the original private key, a recovery agent that is still valid meaning either a domain admin account from the domain that you were a member of when the file was encrypted(and still a member of that domain) or the local administrator account if it was part of a workgroup.

In this case as their is no recovery information, and all they have is the file, there is no way to recover the data in the file other than a brute force attack.

As a best practice if you are using EFS you should create a backup of your private key and store that in a safe location. Or in corporate world, make sure that you have created a process by which your users can request a recovery agent to unencrypt their files.

Bruteforcing AES encryption is going to be pretty much impossible for someone that doesn't even know where to begin.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=275417#post902716) by hunterhunter ...Unfortunately all my friend (emphasis on friend added) has left is the encrypted file...

Well unless that person is taking a dirt nap, contact them to help you out.

If they are pushing up the daisys, go to the grave site and see if they left any clues on the Headstone. :D Seems to be a lot of that going around according to Hollywood.

Bruteforcing AES encryption is going to be...

Yep, make a copy of the file, start studying, then have at it!

Obviously a format & install is on the horizon.

cheers

Unfortunately my friend formatted his hard disk. He did not save the recovery key. Also, the administrator account that would be able to see the data was on that disk that we wiped. I might try some third party EFS recovery software. I doubt it will work though, probably because it requires the originating system to still be intact.

Thanks

Another thing. I also understand that this is encrypted using several keys. Thusly, encrypted several times.

So how would a brute-force attack work in this case? Because I believe there are a total of 3 hashes involved in EFS encryption.


Thanks for the help.

look at this thread that I'v made a while ago

It deals w/ the same issue.

Also if you search for my threads around the same time you will find more questions from me about EFS

http://www.antionline.com/showthread.php?s=&threadid=265298




JUST TO LET YOU KNOW... I ENDED UP LOOSING THE DATA. EFS IS "SO FAR" QUITE SECURE

http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx#EUCAC

This link takes you directly to the high level overview of how the files are encrypted-

http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx#EMF


In reading through that document I did notice that it does not talk about AES encryption. The process should be very similiar in that you just replace 3DES or DESX with AES in XP SP1 and higher.