I have myself in a bit of a pickle. My primary hard drive is encrypted with Windows 10 Bitlocker, and the text file with my recovery key, on an external drive, has turned out to be encrypted with Windows 10 EFS! I don’t know whether I should be working on a solution for the Bitlocker or the EFS.
My primary hard drive is encrypted with Bitlocker (built into Windows 10 Professional) and is set up such that the computer will boot if a particular thumb drive is inserted. About a week ago, it suddenly refused to boot, acting as if the thumb drive was not inserted.
I keep backups by simply drag-and-dropping the folders with my documents onto external USB hard drives. Those folders include the .TXT file with the Bitlocker recovery key.
My recovery plan was to plug one of my backup external hard drives into another computer to read the .TXT file that contains the recovery key, which i understand is about a 25 (or so) digit number.
Apparently at some point I unwittingly applied EFS (encrypting file system) to the folder with my documents, and that EFS carried through to my backup external hard drives. I say unwittingly, because I do not remember doing it, but I guess at some point my small mind saw a checkbox with an option to do it, and I thought to myself, “what a great idea!” Nice work, Mr. Secure Guy!
On another computer, I can plug in the external drive, navigate the folders, but when I try to open a file it says “Access Denied”
Now I am stuck in a catch-22. I can’t access either drive without accessing the other one first. EFS vs. Bitlocker. Is there any hope to recover my documents?
Possibly Helpful Extra Information
Here are a few extra bits of information, that may or may not be helpful:
If necessary, I am competent enough to run Kali Linux from a live CD and run some basic exploits, just from a one week class I took on pen-testing. I’m definitely not a seasoned hacker though.
The USB drive that is supposed to have my Bitlocker decryption key does not seem to be malfunctioning. I can add and remove files to it from another machine. I have the BEK file, but I have no idea how I might be able to extract the recovery key from it. Opening it in Notepad just gives me gibberish.
The Bitlocker decryption failure happened immediately after I plugged in a new USB hub, which is “ORICO MH4PU Aluminum 4 Ports USB 3.0 Clip-type HUB” from NewEgg. The hub seems to be working fine in every respect, so I doubt it’s related, but who knows? Yes, I have tried removing the hub and rebooting, didn’t help.
I tried copying my BEK file to a different USB thumb drive, but did not change results: the machine still behaved as if the decryption key was not inserted. (did not boot).
My USB thumb drive is at least 10 years old, but was only used regularly for about 2 years, sat idle for about 5 years, and then became my decryption key for about the last 3 years. I’m aware of the limited lifespan for flash memory, but it has had a pretty light duty life. It’s a generic 4MB stick.
I have already investigated the possibility that the NTFS File Permission System is involved. On the other computer I have successfully taken “ownership” of the file and assigned myself full control permissions with no error messages. I’m pretty sure EFS is the culprit, but open to learning otherwise.
I do not have a Microsoft account, The Windows 10 machine is set up with only local accounts. I have the username and password.
All Microsoft telemetry was turned off long ago.
I’ve tried inserting the thumb drive with the decryption key into different USB ports, including the ones directly in the back of the motherboard.
This is a homebuilt computer, about 11 years old. It has experienced a few hardware failures over the years but I was able to successfully troubleshoot them and replace the parts as necessary. It’s not currently showing any sign of hardware failure. In fact, one of my “other machines” is simply another hard drive in the same computer (that I am using now).
Specific Suggestions for Answers
A workable answer to either of these would really make my day:
How can I tell if my BEK file is intact? How can I extract the Bitlocker recovery key from the BEK file which seems to be intact?
Does metasploit have something that can attack EFS? (I’m not even going to ask about Bitlocker…)
Thank you all! I’ve been a silent lurker and reader of the HNQs for a year or so. I think I understand the SE format, and I hope my first post is up to par.