Recovering Protected
and Encrypted NTFS Files

NTFS has a lot of features not even imaginable in the older file system, FAT. Alternative data streams, user access permissions, on-the-fly compression and encryption are just a few things that are obvious to a computer user. Undeleting deleted files as well as recovering corrupted NTFS partitions presents more of a challenge to the designer of a data recovery tool than the older file system. Let’s deal with these issues one by one.

Encrypted Files

This is Part I of the article “Recovering Compressed, Protected and Encrypted NTFS Files” covering NTFS access control rights and on-the-fly encryption. The second part will discuss the ability to recover NTFS compressed files.

NTFS Access Control Rights

NTFS introduced a new feature allowing the operating system to control who can and who cannot access a given file, folder or disk. The feature uses file system attribute known as ACL (Access Control List) to allow or disallow certain activities such as the ability to read, write or create files, list the content of a folder, or change file permissions.

User permission

As many files belong to different users, including the operating system itself, strict obedience to permissions set in the access control list would restrict system administrators from being able to recover users’ files, or at least slow down the process significantly. For this reason, pretty much data recovery algorithm will ignore file access permissions by reading the disk directly, bypassing the high-level API of the file system. Effectively, NTFS access control lists are nothing to worry about when recovering information – if you have administrative rights on a given PC.

NTFS File Encryption

NTFS file encryption adds an extra layer of security. Not to be mistaken with access control rights, the encryption will actually alter the contents of the files, encrypting them with a strong encryption key derived from the user’s Windows account password.

NTFS encryption works differently compared to access control rights management. It is impossible and plain inefficient to recover such files in the direct disk access mode, even if their details are available in the MFT (Master File Table). While you can still read files “locked” with ACL attributes on another PC by simply changing or bypassing the attributes, encrypted files cannot be accessed as easily even if you have low-level access to the original disk. If you don’t know the exact password, you won’t be able to decrypt the content of encrypted files, which makes them effectively unusable. Note, however, that this only applies to situations when you are trying to recover somebody else’s files without knowing the original Windows account password. If you do know the password, you can read the encrypted files even on another PC.

Recovering NTFS Encrypted Files

NTFS-encrypted files must be accessed via Windows API’s, which basically means no low-level disk access in raw mode. The inability of data recovery tools to use raw disk access puts numerous restrictions on recoverability of NTFS-encrypted files. However, the recovery is still possible if you choose the right tool.

Tools and Limitations

Some of the more advanced NTFS recovery tools will correctly detect and process encrypted files – provided that the files were encrypted by the same Windows account you are logged in at the time of recovery, or at least if you know the original account password. The “how-to” tutorial on accessing NTFS-encrypted files from another PC is out of the scope of this article, so let’s just put a note that it is possible.

The recovery of NTFS-encrypted files carries certain restrictions and limitations, making the ability of a given tool to recover a given file under given circumstances a case-by-case issue.

NTFS volume recovery tools such as Hetman NTFS Recovery will be able to detect and recover encrypted files under certain conditions. Knowing the right password is essential, but it’s not enough. Hetman NTFS Recovery will need to use high-level Windows API’s to read encrypted files (as opposed to using direct disk access in raw mode). Thus the recovery of encrypted files will depend on whether or not Windows disk API is still able to read the file. For example, undeleting encrypted files located on a healthy disk is no different to undeleting any other type of file. Recovering NTFS-encrypted files from formatted NTFS disks is iffy, but generally still possible. If the file system is badly damaged, the chances of correctly recovering NTFS-encrypted files are much lower than those for non-encrypted ones. However, it’s always worth a try to see if your files in your situation are actually recoverable.

This article describes the methods of recovering protected and encrypted files. The next article explains the process of recovering files and folders compressed using standard NTSF means.

Author: Michael Miroshnichenko