I sit here with, thank god, nearly all my documents and projects from my previous Windows installation.

I would like to thank Windows EFS for being so secure however the encryption didn’t play to my advantage and I was locked out of my own files because I didn’t have permission. Well, I was in strife – I had just copied all the encrypted files over to the backup PC and ignored all mentions of the files not loosing there encryption, then proceeded to format my laptop (where the files originated from) and install a fresh, new copy of XP on it. Big Mistake! I asked some friends and browsed the net for a few hours looking for people in a similar situation and realised that those files were long gone.

HOWEVER I came across this post: http://forums.whirlpool.net.au/forum-replies.cfm?t=616938

“If I needed to attack your EFS files, this is what I’d need to do/access:

1. A copy of your SAM and possibly SYSTEM files. These are registry files under your user name. The SAM file holds an MD4 of your login password, and this is your Passkey. Your SAM file may be encrypted, and then I’d need your Syskey which is in the SYSTEM file (or on removable media as syskey.key)
2. Your Protect Info that is in \app data\MS\Protect\<sec_ident>
3. Your Private Key. This is in that folder mention above (RSA)
4. Your EFS encrypted files, obviously.
5. Your user login (which is hashed with SHA-1 to create the Master Key on SP1 onwards.)”

I used GetDataBack for NTFS ($79 US) and recovered the SAM (C:\Windows\System32\Config\SAM), SYSTEM (C:\Windows\System32\Config\System), RSA (C:\Documents and Settings\Application Data\Microsoft\Protect\<theid>) and a few other files in the Microsoft folder that look ‘EFS’ related.
Well that’s all good and everything – I managed to collect all the files which contain my private key. I found out that my SYSTEM key was corrupt (grr!) so i copied the SYSTEM hive out of my laptops new installation and coupled it with the SAM on the backup PC containing the encrypted files. Next was finding out how to utilise these files to make a private key or something similar to unlock the EFS encryption.

The answer was ‘Advanced EFS Data Recovery’ or ‘AEFSDR’ priced at $133 AUD. I opened that program and hit the ‘Scan for Keys’ button and it searched the HDD of the backup pc for Master keys and Private keys. It found some keys inside the SAM files that I had rescued and then turned green which meant they were usable. Once all the keys I had were listed and I had entered my previous installations, account password and users (all variations with Administrator and my user name) into the program, it then searched for all encrypted files on my HDD. 7,000+ were decryptable and 2,000-2,500 were not.

I begun decrypting and recovered majority of my files. I would call this a successful (and lucky) case of EFS Data Recovery. It was only because I hadn’t installed too much new software on the Laptops new installation that I was able to retrieve the SAM and RSA keys.

So overall i would like to tell people NOT to use EFS (Encrypted File System) on their entire computer UNLESS you have fully read about how the EFS encryption system works and how to make backup certificates because I learnt my lesson.