ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Move Computer
  New Posts New Posts RSS Feed - EFS encrypted files
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

EFS encrypted files

 Post Reply Post Reply Page  12>
Author
Message
advantage View Drop Down
Newbie
Newbie


Joined: 28 Oct 2009
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote advantage Quote  Post ReplyReply Direct Link To This Post Topic: EFS encrypted files
    Posted: 28 Oct 2009 at 11:06am
I used profwiz not realizing a client had a folder encrypted with EFS under his local logon. Of course the files are not accessible under his new domain logon, nor are they accessible after being copied back to his local profile. The folder does not even show as encrypted.

Is there a way to recover the EFS certificate of the local logon and use it to decrypt the files?

I tried the trial version of Elcomsoft's Advanced EFS Data Recovery, and no luck.

Are the files unrecoverable?
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 28 Oct 2009 at 12:06pm
Hi,

The following procedure has worked for other customers. As long as you copied the encrypted data to the other profile (and did not move it) the files should be recoverable.

1. Re-enable the original local user account (if you have not already done so.)
2. Logon with an administrator account and re-run User Profile Wizard.
3. Select the local machine name from the "Enter the domain" dropdown list on the "User Account Information" page. Enter the old local user account name.
4. Select the profile and migrate it back to the original local user account. Reboot.
5. Logon as the local user account. (The machine can still be on the new domain.) You should now have access to the data.
6. You will probably find that you are unable to remove encryption at the top folder level. However, by opening the folder and selecting all items, you should be able to remove encryption.
7. Once all the encryption has been removed you can run User Profile Wizard again and assign the profile to the new domain account.

I hope this helps!
Back to Top
advantage View Drop Down
Newbie
Newbie


Joined: 28 Oct 2009
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote advantage Quote  Post ReplyReply Direct Link To This Post Posted: 28 Oct 2009 at 12:27pm
Thanks for the quick reply!

I will give it a try.

What do you mean by copy vs. move? I didn't see an option to do one or the other. The encrypted files show up under the profile for the domain user account now, along with everything else.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 28 Oct 2009 at 2:57pm
You mentioned the files being "copied back" to the user's local profile. I was concerned that if they had been moved from the original profile you might have problems. It doesn't sound like that's the case though.
Back to Top
advantage View Drop Down
Newbie
Newbie


Joined: 28 Oct 2009
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote advantage Quote  Post ReplyReply Direct Link To This Post Posted: 28 Oct 2009 at 3:15pm
Thumbs%20Up

They are decrypted. Thank you!

Re: previous confusion - OK, I thought you were referring to copying or moving the profile initially. I did in fact copy the encrypted files to the old profile; in fact I had to use ntbackup to get around some "access denied" issues.

I also had to take the PC off the domain to get around password policy rules because the original password did not meet the policy requirements. But once all that was done, I was able to decrypt the files. I am now re-running Profwiz to put the PC back onto the domain and migrate the profile again.

Thanks again!
Back to Top
macky.patio View Drop Down
Newbie
Newbie


Joined: 08 Jan 2012
Location: Philippines
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote macky.patio Quote  Post ReplyReply Direct Link To This Post Posted: 08 Jan 2012 at 5:24am
Hi sorry for bringing up this post, but i have the same problem. i am a little bit confused about what you have said "copy the encrypted data to the other profile (and did not move it)". Does it mean that i have to copy the encrypted files to the old profile? or i just need to migrate it back using ForensiT? if i do need to copy those encrypted files, how will i do that? TIA.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 08 Jan 2012 at 6:11am
User Profile Wizard does not move copy or delete any files, so as long as you have not moved or copied anything the above procedure should work.
 
The confusion arose because of the way the original question was asked. You do not have have to  move or copy anything.
Back to Top
macky.patio View Drop Down
Newbie
Newbie


Joined: 08 Jan 2012
Location: Philippines
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote macky.patio Quote  Post ReplyReply Direct Link To This Post Posted: 09 Jan 2012 at 6:05am
i believe User Profile Wizard just change the profile path of the local machine to the domain(by registry or something like that) cmiiw. Does it trigger the encryption of the files?
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 09 Jan 2012 at 6:21am
No, User Profile Wizard does not trigger the encryption of files. This thread deals with files encrypted before a profile is migrated.
Back to Top
murga View Drop Down
Newbie
Newbie


Joined: 20 Oct 2021
Location: Goražde, B&H
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote murga Quote  Post ReplyReply Direct Link To This Post Posted: 20 Oct 2021 at 12:37pm
Hi there,

I tried without success. In step 2 I logged on using local admin account before running User Profile Wizrad. Is this correct or should I use domain admin account?

Profile migrated from domain without problem, but files remained encrypted without possibilities to decrypt them.

Thanks in advance!


Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.094 seconds.