Re: recovery/forensics of NTFS encrypted folder. Jan 02 2007 08:29PM
levinson_k securityadmin info
I believe cracking EFS encrypted files is not going to likely here, unless you were able to somehow recover the deleted user profiles from the wiped version of Windows from the disk, from the domain (if it was joined to a domain) or from a backup. How exactly was the disk "wiped?"

Good information on decrypting EFS files is at, starting with the links to the commercial tools that claim to be able to attempt to brute force EFS. I'm not sure if you will have success or not, or how quickly. I haven't yet heard of anyone that has had success with these products when the key is lost.

Microsoft reportedly has a tool that can help recover encryption keys to decrypt EFS files if you pay the $100 to $300 US for a tech support call to them, using the phone numbers at, and there are the manual procedures listed at But I believe these methods generally require having the keys from the user profile that encrypted the files.

You could choose to pay a disk recovery firm to attempt to recover the keys from the wiped disk. I understand this could cost $1000 or more with no guarantees of data recovery.

kind regards,
Karl Levinson

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus