Forensic Focus - General Discussion - decrypting a slave HDD

Forensic Focus

General Discussion

decrypting a slave HDD

decrypting a slave HDD

Posted: Sat Sep 27, 2008 5:29 am
Author: rono Location: Norway/Akerhus
I have an 80 GB HDD which contain an encrypted folder with family pictures and videos.

This folder was encrypted by myself for 3-4 years ago.

The HDD was a slave hdd in my old computer and when I was re - formatting my master HDD I've loose my encryption key for the folder on the slave hdd.

I didn't take any backup of this key.I used encryption option in XP .

How can I get access to the files from that folder on the slave hdd?

Now i'm using Vista ,but i can install on a test computer xp if necessary ,for recovery the pictures and videos.

Any help,step-by-step guide,tips,3rd party encrypted file recovery software refferal it will be appreciated!

Dan ,Romania

Re: decrypting a slave HDD

Posted: Sat Sep 27, 2008 7:04 am
Author: rono Location: Norway/Akerhus
common Smile
nobody have an idea about this?

Re: decrypting a slave HDD

Posted: Sat Sep 27, 2008 7:50 am
Author: BitHead Location: Western - US
Patience Weed Hopper (said in my best Kung Fu's master's voice). Expecting a thoughtful response within 2 hours on a Saturday morning is a little, well, lacking in patience.

Here is a little reading on EFS:
EFS decryption without any original keys !!!
Decrypt Efs Encrypted Files
How to Decrypt EFS Files in Win XP Pro when OS is lost.

Re: decrypting a slave HDD

Posted: Sat Sep 27, 2008 8:00 am
Author: rono Location: Norway/Akerhus
You're the Saturday MAN! Very Happy

Thanks a lot !

Re: decrypting a slave HDD

Posted: Sat Sep 27, 2008 8:14 am
Author: LarryDaniel Location: Raleigh, NC
Encase supports decryption of EFS for locally authenticated users without the key.

Not sure if it will work in your case since it is a different computer.

Re: decrypting a slave HDD

Posted: Sat Sep 27, 2008 2:36 pm
Author: rono Location: Norway/Akerhus
what if I move the folder to a FAT32 HDD?

Re: decrypting a slave HDD

Posted: Sat Sep 27, 2008 4:00 pm
Author: BitHead Location: Western - US
- rono
what if I move the folder to a FAT32 HDD?
It is still encrypted.

Re: decrypting a slave HDD

Posted: Sun Sep 28, 2008 11:37 am
Author: Forensics Location: Austin, Texas
[Moderated - please use a PM if offering a commercial service]

Re: decrypting a slave HDD

Posted: Mon Sep 29, 2008 4:27 am
Author: rono Location: Norway/Akerhus
It's looks like this is an " mission impossible".

Neither apps on the market(Elcomsoft and Passware;tried both and paidfor license at Elcomsoft) can fix this even they says that their apps do!

The only way out in my situation is to pay Microsoft to fix that;they have an app called reccerts.exe which is only avaiable if you open and pay a fee ...here in Norway it's about 700$ Evil or Very Mad

Re: decrypting a slave HDD

Posted: Mon Sep 29, 2008 6:49 am
Author: rjpear Location: NW PA
Check this link out and see if it works for ya...
www.tweakxp.com/article37355.aspx
(nevermind.. for the above you need the user accounts to still be around..which you don't have.. Sorry.)


Rob

Re: decrypting a slave HDD

Posted: Mon Sep 29, 2008 7:50 am
Author: rono Location: Norway/Akerhus
- rjpear
Check this link out and see if it works for ya...
www.tweakxp.com/article37355.aspx
(nevermind.. for the above you need the user accounts to still be around..which you don't have.. Sorry.)


Rob


Thanks anyway! Smile I 've been trying the last 3 days all the advices found on net...

Re: decrypting a slave HDD

Posted: Mon Sep 29, 2008 8:33 am
Author: psu89 Location: Hartford, CT
Have you tried to recover any user data off the formatted drive?

Re: decrypting a slave HDD

Posted: Mon Sep 29, 2008 8:40 am
Author: rono Location: Norway/Akerhus
- psu89
Have you tried to recover any user data off the formatted drive?


I've tried but now i taking a look at my records and found out that the master was a defective hdd and that's why i replaced it...so i'm done with this issue Confused Evil or Very Mad i will never ever get access to files on the slave hdd.

Thank you all off you who tried to help me Wink

Re: decrypting a slave HDD

Posted: Mon Sep 29, 2008 9:18 am
Author: BitHead Location: Western - US
- rono
I've tried but now i taking a look at my records and found out that the master was a defective hdd and that's why i replaced it...so i'm done with this issue Confused Evil or Very Mad i will never ever get access to files on the slave hdd.
It may not be bootable, but that does not necessarily mean you cannot get access to the files necessary to decrypt the EFS encrypted files. Have you tried examining the drive with Helix or one of the other *nix variants to see if you can get the data from the master needed for decryption?

Re: decrypting a slave HDD

Posted: Tue Sep 30, 2008 2:17 pm
Author: gmarshall139 Location: Virginia/Nevada, USA
It can be done but you need a couple registry files from the OS drive. As BitHead said, the drive may work well enough to pull those off. If you don't have that it's a lost cause.
All times are GMT - 6 Hours
Page 1 of 1
http://www.forensicfocus.com/