Encryption is an essential technology in the modern digital world. Many manufacturers have implemented encryption functionality in their storage products, for example, flash drives and SD cards. However, there can be disadvantages to this security precaution. Data access becomes more complex, especially when you forget your password, so every encryption can also lead to data loss.
Windows 7, 8, 8.1, and some older versions use the highly advanced NTFS file system. One of the features of NTFS is the ability to compress files in real-time using a fast streaming compression algorithm and write-protected file structures. Compression algorithms in NTFS aim to provide compressed data’s most understandable and transparent user experience.
Encryption of the File System
NTFS is a file system with many features and functions. One is that Encrypting File System (EFS) provides secure and understandable encryption of files and folders on NTFS partitions.
It is important to note that EFS encrypts data on a per-file basis and does not use free space specifically for encryption. However, any encrypted files that are lost or deleted will remain encrypted on the drive, even if they are already on a drive space marked as “free.” With this system, you cannot encrypt and compress files at the same time, as these are mutually exclusive options.
Recently, a client contacted us with a non-trivial case: an encrypted EasyStore USB flash drive. Drives of this type have hardware encryption, so the data recovery specialist must deal with the failure and all the problems resulting from encryption after a device failure.
Encrypted EasyStore USB Drive Recovery
The customer shipped his flash drive to our laboratory after the consultation. We received the drive, and our engineers started the data retrieval process with diagnostics.
They unsoldered the flash drive in our ISO Certified Class 10 Cleanroom and found out that the memory controller was damaged.
Our engineer carefully unsoldered the NAND chip and extracted all the data. The next step was to decrypt all the accessed files. In the client’s case, the device had a password, but it was formatted. As it turned out, even this is enough to lose access to data. The FAT32 file system, in which the vast majority of flash devices are formatted, does not retain any traces of file records during formatting.
The table itself is completely overwritten. After such formatting, restoring the file structure is usually achieved by analyzing all data with the construction of file trees based on the remaining records of files and folders.
Under normal conditions, even with a complete loss of data on the file allocation table – FAT, the data can be restored by the so-called draft recovery – searching for files by their signatures.
FAT32 Data Decryption Process
In order to distinguish one type of file from another, a signature is used. It is placed at the beginning of the file and is a file type identifier.
At the same time, special data decrypting keys of our own design are used to search for fragmented files. Generally, it is possible to recover up to 99.99% of lost data using a draft recovery.
The only inconvenience of a draft recovery is that the output is just a set of files of the same type: Word documents, JPEG pictures, etc., sorted into the appropriate folders. However, the volume of information written on flash drives is usually small, and their manual processing after recovery does not take much time.
Decrypting is very complex without knowing the encryption key and not owning the correct decryption algorithm. NTFS encrypts data using a sizeable symmetric key. This encryption is entirely transparent to the user and applications requesting access to encrypted files via system APIs. However, when accessing encrypted files by reading the disk directly bypassing system APIs, only encrypted data is accessible.
Our skilled engineers solve complex cases with the highest level of professionalism. They successfully decrypted the files and transferred them to a new flash drive. We made a remote file verification for the customer. He approved the data retrieval results and left a good review on Trustpilot.
Contact PITS Global Data Recovery Services at (888) 611-0737 or fill out the form to request our professional data retrieval solutions. Our specialists will securely and confidentially retrieve all your essential files.