Windows file recovery

Access control

NTFS allows for the operating system to control access to a file, folder or disk. It uses a file system attribute named Access Control List (ACL) to allow or disallow certain activities such as the ability to read, write or create files, list the content of a folder, or change file permissions. Not a problem with raw access. Data recovery algorithms will ignore file access permissions by reading the disk directly, bypassing the high-level API of the file system.

File encryption

NTFS file encryption uses a strong encryption key derived from the user’s Windows account password. A problem. NTFS-encrypted files must be accessed via Windows API’s and can only be decrypted by using the private key(s) matching the previously used public key(s).

  • Low-level disk access to read files in raw mode does not work, even if their details are available in the MFT (Master File Table). Without the exact password, the content of encrypted files can not be decrypted. Using special tools to reset the user's login password will render it impossible to decrypt the user's private key and thus useless for gaining access to the user's encrypted files.
  • And there is currently no third party EFS component driver, making it impossible to access encrypted files from outside Windows with other operating systems.

This makes recovering of NTFS-encrypted files hard, but not necessarily impossible.

  • Some of the NTFS recovery tools will correctly detect and process encrypted files IF the files were encrypted by the same Windows account you are logged in at the time of recovery, or at least if you know the original account password.
  • If EFS is configured to use keys issued by a Public Key Infrastructure and the PKI is configured to enable Key Archival and Recovery, encrypted files can be recovered by recovering the private key first.

Cipher

Cipher is a command-line tool that displays or alters the encryption of folders and files on NTFS volumes. Used without parameters, cipher displays the encryption state of the current folder and any files it contains. Though originally written for windows 2000, it works also on later systems, up until and including windows 10.

Key recovery

  • A Key Escrow is a third-party that is permitted to gain access to encrypted data, as defined by law (requires a court order to decrypt data). The key escrow is someone who holds the keys for each user. Key escrow is proactive, anticipating the need for access to keys; a retroactive alternative is key disclosure law, where users are required to surrender keys upon demand by law enforcement, or else face legal penalties.
  • A Data Recovery Agent (DRA), is someone who is permitted to decrypt another user's data in case of emergency and has a key that can accomplish the decryption.

In Windows 2000, the local administrator is the default DRA. In Windows XP Professional, Windows 7, Windows Server 2003, Windows Server 2008 R2 and later, there is no default DRA. The administrator must generate a recovery agent certificate which grants access to encrypted resources. If the recovery agent certificate is created after the encryption of the resource, the resource cannot be decrypted by the DRA.

Recovering deleted files

When a file is deleted, it removes the reference to the file on the hard drive. Once that reference is removed, the computer can no longer see the file. The space taken by the file is empty and is no longer readable by the computer. However, it is still on the hard drive, at least until another file is saved to the same location.

  • Windows changes the file name and moves it to the recycle bin.
  • It then stores the information about the original file (path and file name) in an info2 file. It controls the recycle bin.

If a file is deleted from the command line it does not go into the recycle bin, but the file can be partly or wholly recovered with forensics tools.

When a file is removed from the command line OR from the recycle bin:

  • The clusters it occupied are made available for new data.
  • MFT attribute $BITMAP (a list of what files are available on the system) is updated.
  • File attributes of MFT are marked as available.
  • Connections to the inodes and cluster locations are removed.
  • List of links to the cluster locations is deleted.

At this point, the clusters are not used yet and the file is physically still present. Making a bit-by-bit copy can also still retrieve the file.

Understanding resident and non-resident files

Encrypted files

Any encryption is done with applications inside the OS. FAT itself does not feature encryption. Check what encryption applications exist on the system. Most encryption systems (but not TrueCrypt) allow for auto-encryption and auto-decryption and a password may be stored in memory somewhere. Double clicking the file on a running system may decrypt it.

Recovering deleted files

When windows deletes a FAT file:

  • It replaces the first letter of the file name with a lowercase greek letter.
  • Space is made available for new files.

Files can be recovered with hex editor tools like WinHex.

Key Escrow