Good day to All,

Thank you for NTFSProgs!

Compiling 'ntfsdecrypt' took a while to track down all the needed dependencies, but now I've got it.

My situation involves an HDD failure.  First thing done was 'ddrescue' the disk to another known-good disk.  Second thing done was run some NTFS file recovery software and recover files.  I've managed to port the system to QEmu hardware (making use of WinVBlock and http://etherboot.org/wiki/appnotes/port_winnt_sanboot) and subsequently exported the .PFX file for the user with encrypted files.

But of course, the recovered files are assumed plaintext; there're no $EFS attributes associated with the files which are actually encrypted.  So I have some questions today:
- Is an $EFS attribute an NTFS stream?
- If so, does someone have a recommendation for NTFS file recovery software which includes recovery of NTFS streams?
- If not, is $EFS attributes only available in the $MFT?
- With the .PFX and the ciphertext versions of encrypted files, but no $EFS attribute, what is my best course of action?

Of course, the 'ddrescue' image is still available to me for further possibilities.

Thank you for your time and any advice you might have to offer,

- Shao Miller