[sleuthkit-users] how to recover efs files on windows 7 enterprise
Brought to you by:
carrier
From: Frank de v. <car...@gm...> - 2012-02-27 13:23:29
|
Hi I've trying to figure out of autopsy is the correct tool to use to recover efs files on windows 7 enterprise, Any help would be much appreciated, I've looked also at owade is that more suitable?, although those developers mention that they've used it with WinXP not (yet) with Windows 7 Enterprise. Due to domain issues, on advice of IT department removed my profile (they forget to mention they do NOT back up my profile (handy)). appears 1 local folder ( on c:\FOLDERNAME) has ESF enabled, huh? ok right click on it take off de encryption, well not, Im ..... I'm willing to take this challenge to get the relevant files back on my -linux- laptop. But first need the deencrypt those EFSE file. OS : Windows 7 Enterprise ( Local Admin ) The version of the tools being used ver 2.24 The platform (Ubuntu for example) Backtrack 5 or http://computer-forensics.sans.org/community/downloads How you installed the tools (package, source, etc.) Question in relation to Autopsy: 1) is it possible to revover these folders? with autopsy 2) Is it possible to retrieve my old domain mail folders (outlook 2010) which also disapeared after removal of my profile. ( athough the IT admin promised that these should be backed up on drive X, guess what.., it did not happen again) NO I've not made any back up of certs, I was not aware these folders were encrypted in the 1st place I've managed to get some copied folder decrypted, but these are the less important files. ( and contradict the claim of IT admin, it's my fault....) The Folder itself is 16 Gb, including pdf,jpg,avi,xls,txt,ios bin, juniper etc. basic stuff any network engineer does NOT want on a Windose environment ( company policy decided that we use "windows 7 enterprise", no linux allowed ...) other used commands via cmd ( admin mode) 1) cipher /r:c:FOLDERNAME 2) gpupdate ( did achieve certain file to be envrypted copied from the same folder).... the original one does appear to be dectypted 3) GPRESULT /H GPReport.html this is the reports interestingly is has a valdition or date till 2112... example: Certificates update, and manage certificate templates in Active Directory Domain Services Using Off Public Key Policies / Encrypting File System ShowAll Issued To Issued By Expiration Date Intended Purposes Overbearing GPO Administrator Administrator 28/01/2112 9:23:16 File Recovery Local Group Policy Dumbface1 Dumbface1 01/30/2112 11:50:00 File Recovery Local Group Policy 4) cipher /d c:\heineken\*.* acces denied links: Cipher http://technet.microsoft.com/nl-nl/library/cc771346(v=ws.10).aspx How to add an EFS recovery agent in Windows XP Professional ( I know I use windows 7 enterprise but information is very limited...) http://support.microsoft.com/kb/887414 Protecting Data by Using EFS to Encrypt Hard Drives Creating a Domain-Based Recovery Agent http://technet.microsoft.com/en-us/library/cc875821.aspx#EJAA Note: >>> By default, the built-in Administrator account for a domain is a recovery agent; in that case you do not need to create a recovery agent.<<< The IT desk staff logged in with their Admin account, nothing happend ( do they have the reall built-in Administrators account..... guess not) encrypted file system recovery http://beginningtoseethelight.org/efsrecovery/index.php 01. elcomsoft offer a program called advanced efs data recovery They don't even reply.....on mail enquiries 02. microsoft have a recovery program (reccerts.exe) Our IT admin is not capable of requesting that at Microsoft 03. passware offer a program called efskey To expensive OWADE:Offline Windows Analyzer and Data Extractor project. https://bitbucket.org/Elie/owade/wiki/Home This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI http://dpapick.com/documentation Practical Approaches to Recovering Encrypted Digital Evidenc http://people.emich.edu/pstephen/other_papers/Recovering%20Encrypted%20Digital%20Evidence.pdf Recovering-Windows-Secrets-and-EFS-Certificates-Offline http://cdn.ly.tl/publications/Recovering-Windows-Secrets-and-EFS-Certi%EF%AC%81cates-Of%EF%AC%82ine.pdf PRTK 6.5 & DNA 3.5Release Notes ( not sure this is an valid windows 7 sw) http://accessdata.com/downloads/media/PRTK_DNA_ReleaseNotes2.pdf |