Can you help me recover my encrypted data? [migrated]

I have myself in a bit of a pickle. My primary hard drive is encrypted with Windows 10 Bitlocker, and the text file with my recovery key, on an external drive, has turned out to be encrypted with Windows 10 EFS! I don’t know whether I should be working on a solution for the Bitlocker or the EFS.

Background

My primary hard drive is encrypted with Bitlocker (built into Windows 10 Professional) and is set up such that the computer will boot if a particular thumb drive is inserted. About a week ago, it suddenly refused to boot, acting as if the thumb drive was not inserted.

I keep backups by simply drag-and-dropping the folders with my documents onto external USB hard drives. Those folders include the .TXT file with the Bitlocker recovery key.

My recovery plan was to plug one of my backup external hard drives into another computer to read the .TXT file that contains the recovery key, which i understand is about a 25 (or so) digit number.

Problem

Apparently at some point I unwittingly applied EFS (encrypting file system) to the folder with my documents, and that EFS carried through to my backup external hard drives. I say unwittingly, because I do not remember doing it, but I guess at some point my small mind saw a checkbox with an option to do it, and I thought to myself, “what a great idea!” Nice work, Mr. Secure Guy!

On another computer, I can plug in the external drive, navigate the folders, but when I try to open a file it says “Access Denied”

Now I am stuck in a catch-22. I can’t access either drive without accessing the other one first. EFS vs. Bitlocker. Is there any hope to recover my documents?

Possibly Helpful Extra Information

Here are a few extra bits of information, that may or may not be helpful:

  • If necessary, I am competent enough to run Kali Linux from a live CD and run some basic exploits, just from a one week class I took on pen-testing. I’m definitely not a seasoned hacker though.

  • The USB drive that is supposed to have my Bitlocker decryption key does not seem to be malfunctioning. I can add and remove files to it from another machine. I have the BEK file, but I have no idea how I might be able to extract the recovery key from it. Opening it in Notepad just gives me gibberish.

  • The Bitlocker decryption failure happened immediately after I plugged in a new USB hub, which is “ORICO MH4PU Aluminum 4 Ports USB 3.0 Clip-type HUB” from NewEgg. The hub seems to be working fine in every respect, so I doubt it’s related, but who knows? Yes, I have tried removing the hub and rebooting, didn’t help.

  • I tried copying my BEK file to a different USB thumb drive, but did not change results: the machine still behaved as if the decryption key was not inserted. (did not boot).

  • My USB thumb drive is at least 10 years old, but was only used regularly for about 2 years, sat idle for about 5 years, and then became my decryption key for about the last 3 years. I’m aware of the limited lifespan for flash memory, but it has had a pretty light duty life. It’s a generic 4MB stick.

  • I have already investigated the possibility that the NTFS File Permission System is involved. On the other computer I have successfully taken “ownership” of the file and assigned myself full control permissions with no error messages. I’m pretty sure EFS is the culprit, but open to learning otherwise.

  • I do not have a Microsoft account, The Windows 10 machine is set up with only local accounts. I have the username and password.

  • All Microsoft telemetry was turned off long ago.

  • I’ve tried inserting the thumb drive with the decryption key into different USB ports, including the ones directly in the back of the motherboard.

  • This is a homebuilt computer, about 11 years old. It has experienced a few hardware failures over the years but I was able to successfully troubleshoot them and replace the parts as necessary. It’s not currently showing any sign of hardware failure. In fact, one of my “other machines” is simply another hard drive in the same computer (that I am using now).

Specific Suggestions for Answers

A workable answer to either of these would really make my day:

  • How can I tell if my BEK file is intact? How can I extract the Bitlocker recovery key from the BEK file which seems to be intact?

  • Does metasploit have something that can attack EFS? (I’m not even going to ask about Bitlocker…)

Thank you all! I’ve been a silent lurker and reader of the HNQs for a year or so. I think I understand the SE format, and I hope my first post is up to par.

Using DD to get the hash of a non-system partition encrypted by VeraCrypt

I am trying to use DD for Windows to obtain the hash of a non-system partition that was encrypted via Veracrypt, but have run into a bit of a problem.

The command I used to get the hash of the encrypted partition looks like this

dd if=\?\Device\HarddiskVolume11 of=hash_output.txt bs=512 count=1 

And this command (in theory) should create a file called hash_output.txt that contains the encrypted hash that should, for example, look something similar to this:

(Šö÷…o¢–n[¨hìùlŒ‡¬»J`<Q›þIšê1ªCúÍbÔcN„ÐŒ3+d.dWr€-¡tä66¶ˆÎ  

However, the output I am getting when issuing the DD command above looks more like this:

fb55 d397 2879 2f55 7653 24a3 c250 14d3 3711 7109 e563 617f ab73 f11a 3469 33bb 

Which is obviously not the hash I was expecting so I am hoping someone might be able to help me figure out what I am doing wrong.

Some things to note:

  • I am 100% positive that the drive I am selecting in the DD command is the right drive.
  • There is only 1 encrypted partition on the drive that spans the entire size of the drive.
  • There is no physical / functional damage to the drive which would cause this issue.
  • This on an external 1tb drive that is connected via usb 3.0 (I have tried other cables and ports).
  • The same DD command worked fine for a test drive that I encrypted using the same parameters that were set for this drive.

Open source project using encrypted API keys

My API keys are encrypted with AES256 and will be decrypted in the code pipeline for a new release for every change to the repo (no more manual builds and no more manual upload to appstore). ( https://docs.travis-ci.com/user/encrypting-files/ )

- openssl aes-256-cbc -K $  encrypted_key -iv $  encrypted_iv -in secrets.tar.enc -out secrets.tar -d - tar xvf secrets.tar 

but if the project were open source with a CI/CD pipeline ( https://github.com/Triple-T/gradle-play-publisher#encrypting-service-account-keys )

then what will prevent an incoming PR which triggers the code pipeline to print the decrypted files in clear text?

i.e. assume that the project is open source and we did encrypt the API keys. then an incoming PR will still trigger the Travis pipeline and could output the keys in clear text like this

- openssl aes-256-cbc -K $  encrypted_key -iv $  encrypted_iv -in secrets.tar.enc -out secrets.tar -d - tar xvf secrets.tar - cat api-key.json 

any ideas how to prevent such a scenario ? or did I misunderstand ?

Is LDAP encrypted after SASL authentication?

I was inspecting LDAP packets wit Wireshark today.

When I authenticate with simple bind, I can see the password in plain text and subsequent LDAP requests and responses.

Then I was authenticating with SASL/DIGEST-MD5. I can see the authentication attempts in clear text, except for the hashed credentials. But all subsequent LDAP requests and responses are scrambled. My understanding was that only the authentication is using DIGEST-MD5 and subsequent LDAP packets are unencrypted. When inspecting packet 18, I can see “Lightweight Directory Access Protocol” and underneath it a “SASL Buffer”. So it seems like the LDAP response is indeed encrypted.

Could you shed some light on it, please? And if it’s encrypted, what type of encryption is used?

enter image description here

enter image description here

Finding out if the name is encrypted and finding the encryption algorithm

I’m new to security field. I have a website. Whenever I upload a photo to the website that, for example, its name is 123 with the format of .jpg, its name seems to turn to string like this f408KFcUb+k=. The address for reaching this image will be something like this:

https://example.com?imgID=f408KFcUb%2bk%3d

If I upload the same photo again, its name will turn to another string on the website.

It seems that the name is being encrypted or encoded, Am I right? If so, is there any way to find out what encryption algorithm is being used for encrypting the names of the files?

How to decrypt XML encrypted as per FATCA IDES standard?

My former colleagues have encrypted an XML file as per FATCA-IDES standard:

  1. Digitally signed the XML payload (using “enveloping” signature and create SHA2-256 hash)
  2. RSA digital signature using the 2048-bit private key that corresponds to our private key
  3. Compressed XML file
  4. Encrypt XML file with AES-256 key:
    • Cipher mode: CBC
    • Salt: No salt
    • IV: 16 bytes IV
    • Key size: 256 bits/32 bytes
    • Encoding: None
    • Padding: PKCS#5 or PKCS#7 (i’m not sure which one was used)
  5. Encrypt AES key and IV (48 bytes total – 32 bytes AES key and 16 bytes IV) with public key (given by IDES – not ours):
    • Padding: PKCS#5 v1.5
    • Key size: 2048 bits

Therefore, from start point where we had a simple XML file (not encrypted), we ended up with a .zip file which contained 3 files:

  • xxxx_Payload
  • xxxx_Key
  • xxxx_Metada.xml

With that said, I can’t find the original XML file which was not encrypted. I need to have access to that information and as my knowledge in cryptography is close to 0, it’s impossible for me to understand how to decrypt the generated payload by my former colleagues so I can have access to the readable XML file “xxxx_Payload”.

FYI, I have in my possession the private key (with its password) that what used at the time. I believe this should be sufficient to somehow be able to decrypt the data?

Are Mac OSX encrypted volumes to be trusted(from Disc utility)

I am currently using mac os disc utility on mac and normally create a 10GB encrypted image to store my random private files in…

What really makes me paranoid is how fast or shall we say that it opens instantly once i put in my passcode.

I tried to experiment, made a 50GB encrypted volume, filled it… again it opens scary fast. In comparison when using something like veracrypt opening a 50GB encrypted volume could take minutes!

I even created my own program in “C” and tested every combination of AES modes(CBC,ECB..etc), key sizes… and all of them were only as fast as Veracrypt.

Does anyone have a clue of whats actually going on and why Mac encrypted volumes are 100X faster than any other third party encryption programs. And if there now is some cheeky tricks going on in the background, can we still trust that Mac encrypted volumes from disc utility can be trusted?