May 28th, 2004, 03:29 AM
I have a small suggestion. It probably won't work but you never know.
I know Knoppix-STD has some password tools. Here's the list from their site
You could boot up, mount the hard drive, get the file and crack it. I'm not familiar with some of those tools so I'm not sure if they would work at all.
* john 1.6.34 : John the Ripper password cracker
* allwords2 : CERIAS's 27MB English dictionary
* chntpw : reset passwords on a Windows box (including Administrator)
* cisilia : distributed password cracker
* cmospwd : find local CMOS password
* djohn : distributed John the Ripper
* pwl9x : crack Win9x password files
* rcrack : rainbow crack
I hope you get this figured out. It seems like things ALWAYS go wrong right when you've got something important coming up.
May 28th, 2004, 03:48 AM
Just a thought: Could you possible boot to Knoppix or SLAX or some sort of other live distro, open the file using open office which is built into knoppix std i know and maybe some of the other ones, then save it as something else on a floppy or on a *nix partition? Or would the encryption still screw it over?
May 28th, 2004, 04:18 AM
The file is encrypted, you can't get at it unless you decrypt it first. As of now, biblio.doc (the file) Is just a ton of meaningless data with a .doc extension. It would have to be decrypted for a boot disk to transfer it into meaningful data.
I don't think I have a chance.
May 28th, 2004, 04:31 AM
Certainly looks that way... At any rate I can't think of anything other than using some sort of cracking program against it... If there are any that crack EFS out there...
May 28th, 2004, 05:55 AM
Well just to confirm what jinxy said, I'm sorry to say but basically... your screwed!
... unless ...
The only way to recover that data would be to have a backup of your private key which is/was located in your user profile (\Documents and Settings\username\Application Data\Microsoft\Crypto\RSA ) or that of a user designed as recovery agent. If by any chance you do have a backup of your old user profile, then you're probably in luck: check http://www.microsoft.com/technet/com.../5min-401.mspx for more instructions to restoring the keys and recovering your documents...
And btw, linux boot disks and other usual tricks for bypassing NTFS restrictions will not help in this case; EFS was designed precisely to protect against these types of "attacks" (although there are weaknesses making it possible to access the user keys if not using password protected syskey or syskey on a floppy, but this doesn't apply here: nobody has the keys period!).
Oh, and there are no cracks to decrypt EFS encrypted files themselves: on Win XP, the default cipher is DESX optionnaly 3DES, and with SP1, it's now 256bits AES. So good luck bruteforcing that...
Credit travels up, blame travels down -- The Boss
May 28th, 2004, 04:55 PM
I have not found a solution yet but i thought i would post this as it contains some good info on how EFS works:
Before considering EFS hacks you should have a basic understanding of how it works. EFS is only available when using the NTFS file system on a Windows 2000 or Windows XP Professional computer. Operations are slightly different if the Windows 2000 computer is joined in a Windows 2000 domain, if XP is the operating system, and whether certificates have been issued via a certificate authority, or via the built in self-signed certificate mechanism. When a Windows user wishes to encrypt a file he has only to select ‘encrypt’ from the advanced button on the file properties page, or save the file in a folder that has been previously marked for encryption. Thereafter, encryption and decryption is transparent to the user. The file is decrypted when opened and encrypted when saved. Should another user of the file system attempt to open the file, access is denied.
The full article is here: http://www.sans.org/newsletters/hacking_efs1.htm
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
May 28th, 2004, 06:16 PM
This is what confuses me now...
I don't ever remember turning on efs encryption on the drive. What's even weirder is the randomness of the files that are encrypted. I had my whole site on that drive, and in each folder, a few files have been encrypted, the rest haven't been encrypted and I can still access.
Weird huh? Anyways...
Time to type up a new bibliography. Thanks for the sandwich galdron (mmmmm md5...).
May 28th, 2004, 07:43 PM
EFS has a weakness that windows use to store the key INTO the file system. If you cant remember that you encripted the files, probably you didnt export the key (that is a good pratice) and remove it from disk. Therefore, key is still there. So you can use a commercial tool to crack it.
here is an example http://www.elcomsoft.com/aefsdr.html?from=passcr
(I never used a tool like that.....)
EFS is near unbreakable if you didnt store keys on encripted disks. AND its create do be that.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.