How I learned about file encryption

So a week or more ago I mentioned on Twitter that I would tell the horrible encryption failure I had when I first found out about how to encrypt data. When I first moved into Information security years ago, I learned about how you could encrypt data and no one would be able to view it without the key.

So I was running Windows XP at the time and I decided to play with the Windows EFS on my home machine. I encrypted my local “personal data” folder, and moved it off to secondary storage.  I was able to view it, open it, move it back and forth, etc. The time came to reload my machine. I was careful to move and verify all my data on the secondary storage, verified I could access it, open it, etc.

I proceeded to DBAN the local drive, reload the OS, install the applications, and when the time came to move the data over, I couldn’t open it. I thought “Hmm…that’s odd…” I proceeded to try to re-copy the data over to the local drive, and check a few of the attributes of the file before realizing that I had encrypted the files before moving them. I moved them to a NTFS drive, which meant it kept the encryption intact when I copied them to the external drive. I did my best google-fu to try to find any way to get this data back. The “personal data” contained family photos, my resume, web favorites, etc., so I was definitely not happy about losing it.

I even went so far as to ask a coworker to call in a favor to a friend at Microsoft. The reply was there was no backdoor/master key to get the data back again. I was learning a hard lesson in encryption really fast. Although I knew the passcode for the key, I was unable to retrieve the data. The good thing that it did was make me want to learn more about file encryption and what can/can’t be done with it.

I learned about file versus whole disk encryption, as well as where keys are stored. I also learned to be sure that no matter what, you move the keys if you’re going to wipe a drive! If I can offer anything to anyone about file encryption it would be to completely understand how it works before you play with live data when you have no other copy.

Also…if anyone breaks 256-AES EFS I’d like to chat with you 🙂

2 thoughts on “How I learned about file encryption”

  1. Let me see if I have this straight. You conducted your experiment not on some test machine using test data but on data of a more irreplaceable kind? You then nuked the original drive with DBAN without having ANY backup of the system state of that original?

    Hoo, boy!

    Talk about playing with matches!

    If you ever do decide to experiment with Windows encryption again I found some advice you may find useful:

    http://www.tomshardware.com/forum/53233-45-recovery-encrypted-files-help

    You should especially read the paragraph on backing up the “personal encryption certificate (with its associated private key) 
and the recovery agent certificate”. Having those on hand makes recovery of encrypted data more feasible. (Backing up the system state of the Windows system with the backup command would probably achieve the same end as a backup of just those two certificates files. BUT VERIFY THIS FIRST! Don’t just ASSUME it will work!)

    That said, breaking encrypted files is not IMpossible. It is just very, very hard. As in you may need to be the NSA and have a server farm or two of supercomputers out back for it to work in any reasonable timeframe. And even then you may need a spare millennium or two.

    Still there are places you can go to which will give it a try. Check out, for example:

    http://www.easeus.com/datarecoverywizard/recover-encrypted-data.htm
    http://www.efsdatarecovery.com/

    Note that you will probably be charged an arm and leg and I doubt if success can be guaranteed. (Your friend’s advice is pretty much the general wisdom on Windows encryption.) Still, nothing ventured nothing gained. But for heaven’s sake if you do use one of these services don’t allow them to experiment on your one and only copy of a file! Make backups!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s