Is it possible to decrypt EFS files without backup certificate

[Kaysel]

I had some drives which are about to die. The client has encrypted the data. I need some help to recover the encrypted data from the drive. I want to know that does there is a way by which I an recover or decrypt those files if I lost to the certificate. It might be not ethical, but somehow it would be possible to that. I tried to find out some tools on web that has some options but they are useless. Till yet I am not able to get any appropriate solution for the same.

[Myra]

It is a process of cracking EFS file system. The below link has detailed information on what you are looking for. Read the Planning for and Recovering Encrypted Files: Recovery Policy section. Other than this I had seen some EFS recovery software. But they are paid. There is no free tool and there is no guarantee that even after purchasing the same it will work or not. There is one of software by Microsoft called as Post Upgrade EFS Recovery Tool 1.0. The second link below has one tool that can help you to recover the same.

[meb]

EFS is a different thing. It encrypts the file system at root level. The certification tells the system to decrypt the file. If you lost that or you had not kept the backup then I am doubtful that other software can help you. The tools that I had found basically ask for certificate. This all are very crucial process and you must always keep a backup with you.

[Amosz]

Recovery tools are useless without EFS certificate. People always ask about backdoor for EFS encryption but to some extent there is nothing like that available. Once the data is encrypted you cannot do anything on the same. I had tested my system a number of time to get rid of bitlocker encryption. But that does not really work. Once the drive is encrypted there is nothing you can do. The encryption tool ask for proper certificate and then only it recovers it.

[Stuartl]

I got a small extract on TechNet that provides a bit highlight on Disaster Recovery of EFS. The first point written was to plan for EFS recovery when you are configuring it. That means you must not keep this for future. You must plan it before, so that if this kind of stuff happens you would be able to get back your data instantly. Windows 2000 has some recovery agents. That might help to recover the keys, I am not sure about the new editions. There might be something much better. It is always recommended that you backup encrypted files to some other location. Also a complete system backup is more helpful. It provides you option to restore the key and user profile as it is on the partition.

[Jason A]

I want to know that does here anyone really tried to recovery the encrypted files. I found a tool called as Elcomsoft program. They have a paid edition to get this thing done. But I am not willing to buy one before I get a confirmation that it really works. The tools provides option to recover all the files and decrypt them without the need of certificate. I am not really sure about that. I had seen some videos on Youtube which shows Elcomsoft program tries to find the certificates first on the hard drive and then decrypt them. So in simple words no EFS files can be recovered by any tool unless and until it locates the certificate.

[Lucile]

What about Data Recovery Agents. Did you tried them. Check the below link. There is a detailed information on what you are looking for. Instead of going for any third party application the below link will help you to deal with the issue. EFS uses symmetric encryption that has a set of two keys. In this one is used to encrypt and other for decrypt. It is very complicated to manage this. But it is more secure compared to public key. The Data Recovery Agents are capable of finding out the file from the system and recovery them. There must be some part where the certificate is located. Because under no circumstances you can get your file back if you lose the cert.

5-Minute Security Advisor - Recovering Encrypted Data Using EFS

[Brandy]

There are some utility but before running them it recommended that you keep multiple backups. You said your drive are going to damage soon, so there are less chances you go for some experiments. If you had not deleted the certificate then Elcomsoft can help you. You just have to run that on a working system. It will scan and try to locate the cert and then decrypt the data. That is the only safest way I think it is going to work.

[IRVING]

EFS is developed by Microsoft and once all your files are encrypted no user can see them. That is the place where it becomes complicated while recovering. I was wondering that what if someone tries to recover the same on Linux. Does EFS is application on linux system also. There might some support or recovery tool provided which can allow us to do the same.

[Elwin-K]

Yes there is possibility of recovering EFS files on Linux. But it is quiet a long process. First you need to find a good distro which you can understand easily. It will advice you to use LiveCD or install it on some other hard drive. Then boot in Linux and install NTFS tools. That will allow Linux to read and write NTFS file system. You can then go with different data recovery software will be able to give you to the backup of encrypted files. Tools like NTFSDecrypt, Datarecovery, etc offers you option to get the unlocked version of encrypted documents in your system.

[SMichael]

That can be a way, but I found that complicated. All of us are not having good skills in Linux. And in this OS you have to configure each and everything manually. That is why Linux remains the last choice of many users. EFS does not comes with any backdoor. There are large discussions on this topic which says that there are possibility of recovering files, but no one has given a valid information. What I know that it is illegal to use any utility that might break EFS encryption. There are legal restriction on using tools that can provide this kid of facility. Also any invalid discussion or hacking stuff can cause legal action.

[Judy B]

I agree that there might be legal implications on this kind of file system. But what a person will do if his important data in on risk. My client is working for a financial firm. He is only having a single server where all important data which consist of transaction information is stored. He encrypted the drive so that the data is not visible to anyone. But if that is not recovered then it would be a great loss. As my client is not so technically good, but he has hired a guy who does all the server manging job. He left and there is no information available for us to recover the files. Microsoft must have kept some kind of tool or some kind of service that can allow use to get the data backup.

[Patton]

I had contacted some developers that can help me in that. They are working on some dos program that might help but for that you need proper support. You cannot just go on any drive and get the data from it. It is recommended that you consult first properly and then only go for the process. What I know that ample of security software simply failed on this process. There is no other way to recover the same. Thanks.

[Gregoryl]

It is not possible to break EFS encryption. It is designed with a motive to keep your system secure from other users. Also there is very less documentations made on recovery of EFS file system. Many of us has configured EFS blindly hoping that this would work well and no one has ever thought about data restore. That is the reason I specially keep the certificate backup so that this kind of problems do not evolve.

[shawntae]

Whenever I search on Google information on EFS recovery I can only find Advanced EFS Data Recovery by Elcomsoft. I checked the features and was able to find some set of things that I am really looking for. Like it helps to recover the data from hard drive which is moved to other system. Also it helps to to get deleted user profiles back. I do not know but that the tool claims to get data from damage disk also. So I am going to take a chance and get this software. I hope this will help me to get data back.