Recovering deleted encrypted files
Recovering deleted encrypted files
(OP)
Hello,
I need to recover the content of a deleted encrypted file from a NTFS volume. I can read the file's content by directly accessing the volume (reading and decoding MFT, data runs and all that candy). I see that encrypted files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is $EFS). I need to interpret the content of this, the goal being to obtain the (encrypted) FEK (file encryption key).
From the info I could gather so far, this data consists of:
struct EFS_INFO_HEADER
{
DWORD m_dwSize;
DWORD m_dwVersionMinor;
DWORD m_dwVersionMajor;
DWORD m_dwUnknown1;
BYTE m_Checksum[32];
BYTE m_Unknown2[?];
// count of DDF entries
// the DDF entries
// count of DRF entries
// the DRF entries
};
struct EFS_DDF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};
struct EFS_DRF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};
Anyone knows more about these structures, where are they defined, where can I find more about them? Some of these structures seem to have members that are sometimes missing, and I cannot decide how to handle this.
Another approach would be to use the WriteEncryptedFileRaw API and then I feed it with the necessary data in the callback function, essentially attempting a restore directly from the deleted file. Again, I see by attempting to use ReadEncryptedFileRaw that the data this API stuffs into my callback function on backup is some header, followed by the $EFS attribute (slightly modified!), then some addional data, probably another header, then the encryped content, interrupted every now and then by some unknown data. I have no documentation for any of these, thus I cannot manually construct the data stream to feed into the callback function for WriteEncryptedFile.
Any info, hint, pointer in the right direction would be welcome. Thanks a lot.
Regards,
Levente
I need to recover the content of a deleted encrypted file from a NTFS volume. I can read the file's content by directly accessing the volume (reading and decoding MFT, data runs and all that candy). I see that encrypted files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is $EFS). I need to interpret the content of this, the goal being to obtain the (encrypted) FEK (file encryption key).
From the info I could gather so far, this data consists of:
struct EFS_INFO_HEADER
{
DWORD m_dwSize;
DWORD m_dwVersionMinor;
DWORD m_dwVersionMajor;
DWORD m_dwUnknown1;
BYTE m_Checksum[32];
BYTE m_Unknown2[?];
// count of DDF entries
// the DDF entries
// count of DRF entries
// the DRF entries
};
struct EFS_DDF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};
struct EFS_DRF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};
Anyone knows more about these structures, where are they defined, where can I find more about them? Some of these structures seem to have members that are sometimes missing, and I cannot decide how to handle this.
Another approach would be to use the WriteEncryptedFileRaw API and then I feed it with the necessary data in the callback function, essentially attempting a restore directly from the deleted file. Again, I see by attempting to use ReadEncryptedFileRaw that the data this API stuffs into my callback function on backup is some header, followed by the $EFS attribute (slightly modified!), then some addional data, probably another header, then the encryped content, interrupted every now and then by some unknown data. I have no documentation for any of these, thus I cannot manually construct the data stream to feed into the callback function for WriteEncryptedFile.
Any info, hint, pointer in the right direction would be welcome. Thanks a lot.
Regards,
Levente
RE: Recovering deleted encrypted files
RE: Recovering deleted encrypted files
Thus, I either recover the encrypted FEK and then will attemt to decrypt it with all private keys I own, either I find out what is the structure of the buffer I should feed to WriteEncryptedFileRaw so that the OS does the decryption for me.
Again, I do not want to recover foreign files (from other users of others systems/domains).
RE: Recovering deleted encrypted files
RE: Recovering deleted encrypted files
RE: Recovering deleted encrypted files
Chip H.
____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
RE: Recovering deleted encrypted files
RE: Recovering deleted encrypted files
Chip H.
____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
RE: Recovering deleted encrypted files
I've been using a program called Advanced EFS Data Recovery, but it does not work on encrypted files that I recovered after being deleted. Is this the same problem you are having? If so, please let me know if you found a solution.
Paul