Question : Problem with EFS Recovery

I have a user with a Seagate external drive which contains his entire portfolio.  The original laptop used for the backup to the Seagate drive was XP SP3. The data was encrypted on the Seagate drive (listed in green).   The original laptop has been upgraded to Windows 7 and the laptop hard drive was reformatted during the upgrade.  Now the user wants to move the data from the Seagate external drive back to the upgraded laptop. The data cannot be moved due to the encryption. I thought the Seagate Manager was used to encrypt the data, but after checking the advanced attributes of the files, it appears EFS was used to encrypt. Under encryption details the user's cert from the XP SP3 version of the laptop is listed.  I cannot add another 'User Who Can Transparently Access This File:' also no recovery agent is listed under "Data Recovery Agents For This File As Defined By Recovery Policy:"

The data on this hard drive HAS to be recovered.  Any ideas of how I can get the files recovered?

Answer : Problem with EFS Recovery

Ok, the user's account, for EFS, has a x509 certificate and key associated with it. if the xp user account was a local one, then your only hope is that you can recover that keystore from an unformat of the laptop - assuming that win7 has been applied, I would not hold out a great deal of hope there though.

there is no other route - EFS is not easily crackable (despite a certain American newspaper claiming they broke it in 3 days :) and almost all known attacks are on a password protecting the EFS key, not the encryption itself. I would therefore *immediately* discontinue use of the old laptop, remove the hard drive, mount it on another pc via a usb adaptor, and scan it with AEFSDR - which isn't cheap, but presumably cheaper (if it works) than losing the files. AEFSDR Pro can scan hard drives for the keys it needs, which if you are unreasonably lucky will be enough.
Random Solutions  
 
programming4us programming4us