I have come across a problem here that I never had to tackle before.
Basically, I had to get some encrypted files out of the hard drive.
This was one of the few laptops with EFS encryption—encrypted file system. Say what you will about this encryption scheme; while I’m sure it’s crackable, I would rather not get into the borderline illegal means to the end, especially given the location that I work in.
Anyway, more specifically, what I had to do in this case was to get a few files out of the retired user’s encrypted folders per request from the higher-ups.
There, I came across a few problems, including the fact that the user was retired and his account inactive, and the fact that the computer, once joined to a domain, was no longer joined and I could only log onto the local administrator account.
Problem
Well, the problem here’s obvious—or perhaps I should call it the question. The question is: how do you take the encrypted files out of the hard drive so that it can be read by others? We are not talking about full decryption here. We just need to get into the computer and take it out.
Answer
The first thing I tried, of course, was try to open—and if not possible, move—the files out of the computer. By the way, the computer was on Windows XP.
Local account denied my access, so that was a no go. So I turned to the internet.
Well, Microsoft had an answer, of sorts.
Problem with that? It needed me to generate and back up a recovery key, or make a recovery agent—neither of which I could do without admin level power on the domain, which I did not have (keep in mind that I’m not very high up the totem pole here, and therefore cannot do a lot of high-level stuff.)
So, a sleuthing was in order to answer some questions. I know that once I am logged into the (retired) user’s account, I can move the files off to the USB drive and that will automatically decrypt the files in the process. And I am not sure what will happen to the encrypted files if the password was reset. So, I needed to know:
- if getting the computer out and back into the domain would corrupt the EFS-encrypted files, and
- if resetting the password would, likewise, bork the EFS files.
I avoided answering the second question, unfortunately, as I knew the password already and did not have to change it—although I was tempted to do so when the helpdesk people who are more familiar with these types of things asked if I wanted to do so. Perhaps I should try it on my own with a smaller system at home.
As for the first question, no, computer can get out of the domain and get back in, and as long as your credentials are valid, your EFS files will still be accessible. So I reinstated the retiree’s account temporarily, rejoined the computer to the domain, and using the temporarily activated account, I logged in and got the files out. Man, those decryptions take so long…
tl,dr;
- EFS files are automatically decrypted if they get copied out of the encrypted folder.
- The computer that was deleted from the domain can be unjoined and rejoined, and it will not mess the EFS files up.
Beyond RTFM 