Cracking/recovering efs...?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Cracking/recovering efs...?

  1. #1
    Junior Member
    Join Date
    May 2006
    Posts
    9

    Cracking/recovering efs...?

    I'm sure there's a way.

    Unfortunately all my friend has left is the encrypted file. Nothing else, no recovery key, no hashes, nothing.

    How can we crack this file?? What are the algorithms used in this process and how would we go about starting to crack this file?


    Thanks!

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    First off, you might want to consider deleting your post. There are a lot of people on here that will neg you for asking how to hack something.


    Second, I think you are SOL. Depending on what version of windows encrypted the file the type of encryption used will change. XP SP1 and newer along with Win2003 use AES. There is no known hack to AES. You can bruteforce it, but you will be at it for awhile.

  3. #3
    Junior Member
    Join Date
    May 2006
    Posts
    9
    Why would I get flamed for trying to broaden my skillsets? Cracking my own file would be a legitimate option for me. Nothing illegal, nothing taboo.

    Thanks for the advice, any and all others are appreciated.


    regards

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by hunterhunter
    Why would I get flamed for trying to broaden my skillsets? Cracking my own file would be a legitimate option for me. Nothing illegal, nothing taboo.

    Thanks for the advice, any and all others are appreciated.


    regards

    well to answer the first question, because we don't /know/ it is your file? You are a new poster, you have no background with this site and we only have your word that it is "legit" to go off of. I'm not going to flame or neg you, but don't be suprised if someone else does.

    Anyway on to the original question, I don't know of any way to crack an EFS file other than a bruteforce (which was already mentioned)... and that is going to take hardware and a lot of time. The administrator should be a key agent though, so that account should be able to see the information.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  5. #5
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    I seriously suggest you delete this point as advised above... There are some people who will neg you for posting sh*t like that. If you want to learn and broaden your skill sets check out AO's tutorial section. I wont neg you this time but now you know.
    Git R Dun - Ty
    A tribe is wanted

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    If you legitimatly own the file you may have access to recover it as mentioned earlier. Was this file or computer on a Domain or Workgroup environment?

    What happend to the server/computer that it was stored on?

    A little background information will help us to help you.

    Dont worry about being negged, if you are here for ligitimate reasons we will know :-)

    I also recommend doing a search in AO and Google for "EFS recovery agent" this may help you understand a little about what you are up against.
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  7. #7
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    Well if it is indeed your file....

    Try moving the file that is encrypted with EFS, I assume its located on a NTFS partition, and move it over to a FAT32 partition.

    Since FAT32 doesn't support EFS, the file should come up as unencrypted. I'm not sure if this has been fixed as of yet.
    The command completed successfully.


    \"They drew first blood not me.\"

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    BR, that only works if you have the valid key to unencrypt the file. To successfully recover an EFS file you need to have the original private key, a recovery agent that is still valid meaning either a domain admin account from the domain that you were a member of when the file was encrypted(and still a member of that domain) or the local administrator account if it was part of a workgroup.

    In this case as their is no recovery information, and all they have is the file, there is no way to recover the data in the file other than a brute force attack.

    As a best practice if you are using EFS you should create a backup of your private key and store that in a safe location. Or in corporate world, make sure that you have created a process by which your users can request a recovery agent to unencrypt their files.

    Bruteforcing AES encryption is going to be pretty much impossible for someone that doesn't even know where to begin.

  9. #9
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675

    Re: Cracking/recovering efs...?

    Originally posted here by hunterhunter ...Unfortunately all my friend (emphasis on friend added) has left is the encrypted file...
    Well unless that person is taking a dirt nap, contact them to help you out.

    If they are pushing up the daisys, go to the grave site and see if they left any clues on the Headstone. Seems to be a lot of that going around according to Hollywood.

    Bruteforcing AES encryption is going to be...
    Yep, make a copy of the file, start studying, then have at it!

    Obviously a format & install is on the horizon.

    cheers
    Connection refused, try again later.

  10. #10
    Junior Member
    Join Date
    May 2006
    Posts
    9

    well..

    Unfortunately my friend formatted his hard disk. He did not save the recovery key. Also, the administrator account that would be able to see the data was on that disk that we wiped. I might try some third party EFS recovery software. I doubt it will work though, probably because it requires the originating system to still be intact.

    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides