Recovering Protected and Encrypted NTFS Files
This article describes the process of recovery for files protected, encrypted or compressed with EFS (NTFS), and gives you hints on how to tackle possible problems. NTFS has a lot of features not even imaginable in the older file system, FAT. Alternative data streams, user access permissions, on-the-fly compression and encryption are just a few things that are obvious to a computer user. Undeleting deleted files as well as recovering corrupted NTFS partitions presents more of a challenge to the designer of a data recovery tool than the older file system. Let’s deal with these issues one by one.
This is Part I of the article “Recovering Compressed, Protected and Encrypted NTFS Files” covering NTFS access control rights and on-the-fly encryption. The second part will discuss the ability to recover NTFS compressed files.
- NTFS Access Control Rights
- NTFS File Encryption
- Recovering NTFS Encrypted Files
- Tools and Limitations
- Questions and answers
- Comments
NTFS Access Control Rights
NTFS introduced a new feature allowing the operating system to control who can and who cannot access a given file, folder or disk. The feature uses file system attribute known as ACL (Access Control List) to allow or disallow certain activities such as the ability to read, write or create files, list the content of a folder, or change file permissions.
As many files belong to different users, including the operating system itself, strict obedience to permissions set in the access control list would restrict system administrators from being able to recover users’ files, or at least slow down the process significantly. For this reason, pretty much data recovery algorithm will ignore file access permissions by reading the disk directly, bypassing the high-level API of the file system. Effectively, NTFS access control lists are nothing to worry about when recovering information – if you have administrative rights on a given PC.
NTFS File Encryption
NTFS file encryption adds an extra layer of security. Not to be mistaken with access control rights, the encryption will actually alter the contents of the files, encrypting them with a strong encryption key derived from the user’s Windows account password.
NTFS encryption works differently compared to access control rights management. It is impossible and plain inefficient to recover such files in the direct disk access mode, even if their details are available in the MFT (Master File Table). While you can still read files “locked” with ACL attributes on another PC by simply changing or bypassing the attributes, encrypted files cannot be accessed as easily even if you have low-level access to the original disk. If you don’t know the exact password, you won’t be able to decrypt the content of encrypted files, which makes them effectively unusable. Note, however, that this only applies to situations when you are trying to recover somebody else’s files without knowing the original Windows account password. If you do know the password, you can read the encrypted files even on another PC.
Recovering NTFS Encrypted Files
NTFS-encrypted files must be accessed via Windows API’s, which basically means no low-level disk access in raw mode. The inability of data recovery tools to use raw disk access puts numerous restrictions on recoverability of NTFS-encrypted files. However, the recovery is still possible if you choose the right tool.
Tools and Limitations
Some of the more advanced NTFS recovery tools will correctly detect and process encrypted files – provided that the files were encrypted by the same Windows account you are logged in at the time of recovery, or at least if you know the original account password. The “how-to” tutorial on accessing NTFS-encrypted files from another PC is out of the scope of this article, so let’s just put a note that it is possible.
The recovery of NTFS-encrypted files carries certain restrictions and limitations, making the ability of a given tool to recover a given file under given circumstances a case-by-case issue.
NTFS volume recovery tools such as Hetman NTFS Recovery will be able to detect and recover encrypted files under certain conditions. Knowing the right password is essential, but it’s not enough. Hetman NTFS Recovery will need to use high-level Windows API’s to read encrypted files (as opposed to using direct disk access in raw mode). Thus the recovery of encrypted files will depend on whether or not Windows disk API is still able to read the file. For example, undeleting encrypted files located on a healthy disk is no different to undeleting any other type of file. Recovering NTFS-encrypted files from formatted NTFS disks is iffy, but generally still possible. If the file system is badly damaged, the chances of correctly recovering NTFS-encrypted files are much lower than those for non-encrypted ones. However, it’s always worth a try to see if your files in your situation are actually recoverable.
This article describes the methods of recovering protected and encrypted files. The next article explains the process of recovering files and folders compressed using standard NTSF means.
Can anyone please help me decrypt files encrypted by .aeur. PLZ HELP...
Generally I don't learn post on blogs, but I wish to say that this write-up very compelled me to check out and do it! Your writing taste has been amazed me. Thanks, very nice post.
We are glad that our article was helpful for you. If you have any questions, we will gladly answer them. https://www.youtube.com/channel/UCu-D9QnPsAPn7AtxL4HXLUg
Hello everyone! I would like to start discussion on this platform. At the beginning of my review I thank to all developers of this program. It is important to ensure the protection of my information and files. This article so useful because in this one describes the different types of methods of recovering protected and encrypted files. In this article so interesting and clear says about access control rights and new level of security. So, thanks a lot and good luck! P.s. It will be interesting to read comments from next commentators about Recovering Protected and Encrypted NTFS Files.
Are there any alternatives to NTFS file system that may provide better data recovery options?
Yes, there are several alternatives to NTFS file system that may provide better data recovery options. These include:
Can data recovery be done on an NTFS file system that has been formatted or re-partitioned?
Yes, data recovery can be done on an NTFS file system that has been formatted or re-partitioned. Depending on the extent of the damage, data recovery software may be able to recover some or all of the data that was stored on the partition.
What are some best practices for preventing the loss of compressed and encrypted NTFS files in the first place?
Is it possible to recover specific files or folders within a compressed and encrypted NTFS file system?
Yes, it is possible to recover specific files or folders within a compressed and encrypted NTFS file system. However, the process is more complicated than recovering files from an uncompressed and unencrypted file system. To do so, you will need specialized software that can decrypt and decompress the data, as well as a valid encryption key.
Are there any risks or potential data loss when attempting to recover compressed and encrypted NTFS files?
Yes, there are risks and potential data loss when attempting to recover compressed and encrypted NTFS files. Depending on the type of encryption used, the data may be permanently inaccessible if the correct encryption key or passphrase is not provided. Additionally, the recovery process can cause data corruption or loss if it is not done properly.
Read about recovering protected and encrypted NTFS files. If you do have any questions, don't hesitate to contact our technical support service - we will be happy to help you.