|
From: Anton A. <ai...@ca...> - 2010-02-01 13:07:47
|
Hi, Why don't you just run ntfsdecrypt on the ddrescue obtained image?!? Or is the MFT damaged/missing so you cannot do that? Best regards, Anton On 31 Jan 2010, at 16:37, Miller, Shao wrote: > Good day to All, > > Thank you for NTFSProgs! > > Compiling 'ntfsdecrypt' took a while to track down all the needed dependencies, but now I've got it. > > My situation involves an HDD failure. First thing done was 'ddrescue' the disk to another known-good disk. Second thing done was run some NTFS file recovery software and recover files. I've managed to port the system to QEmu hardware (making use of WinVBlock and http://etherboot.org/wiki/appnotes/port_winnt_sanboot) and subsequently exported the .PFX file for the user with encrypted files. > > But of course, the recovered files are assumed plaintext; there're no $EFS attributes associated with the files which are actually encrypted. So I have some questions today: > - Is an $EFS attribute an NTFS stream? > - If so, does someone have a recommendation for NTFS file recovery software which includes recovery of NTFS streams? > - If not, is $EFS attributes only available in the $MFT? > - With the .PFX and the ciphertext versions of encrypted files, but no $EFS attribute, what is my best course of action? > > Of course, the 'ddrescue' image is still available to me for further possibilities. > > Thank you for your time and any advice you might have to offer, > > - Shao Miller -- Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @) Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK Linux NTFS maintainer, http://www.linux-ntfs.org/ |
