Decrypting Windows Efs

[MikeFromDenmark]

Hi

Im trying to recover my girlfriends, tanked, Windows XP media center partition containing encrypted files.

My girlfriend tells me she had 5 passwords during the time of use on that particular harddrive so i dont think i'll be needing a bruteforce approach.

So here's how far i've gotten:

Used knoppix with dd to get a snapshot of the tanked laptop disk.

converted that to vmware and i am now able to mount the disk in any (virtual) enviroment.

blanked out.

Can anyone point me in the right direction recovering her data?

If i succeed i probably wont have to deal with dirty dishes and diapers for quite some time.

Any help would be highly appreciated.

[Infiltrator]

Found this:

http://forum.s-t-d.org/viewtopic.php?id=2828

[MikeFromDenmark]

Thanks for the quick reply :D

the downloads are pretty much useless it seems but the post about ERD commander seems very promising :D

[Mr-Protocol]

You'd have to boot from the image made with dd, not just mount it to a running OS. And if it's XP good luck because faulty drivers will cause that thing to BSOD because drivers wont match the hardware, make sure to get into safe mode.

[digip]

You can mount it in another machine running XP, then take ownership of the files while logged in as admin, and then remove the EFS from the files. Can also copy to a fat drive and efs will be removed, since only NTFS will do the efs. Admins have access to windows efs as where normal users wont. Must be at least professional edition of XP to take ownership, as home edition doesn't let you do it(out of box anyway). You would have to escalate yourself to system if you only have home edition, which can be done from within windows home edtion using the at command in a cmd window to relaunch explorer.exe as system after killing it.