Recover cert and private key from cloned drive - Windows ActiveDirectory environment
gamebird92 opened this issue · comments
Hello everyone,
i have a external hard disk that was secured via windows efs. The computer that has the initialized the encryption is not available any more but i have a full drive clone (clonezilla) from the hard drive.
So i am trying to rebuild the certificate and private key to decrypt the external drive.
The user that encrypted the external drive is a active directory user, the certificate was not published by our internal ca tough. So maybe the user encrypted the files before we set up internal ca.
I am following this guide https://github.com/gentilkiwi/mimikatz/wiki/howto-%7E-decrypt-EFS-files but got stock at decrypting the masterkey.
I am aware of the users passwords so that should be easy, but instead of the masterkey i receive this error:
Auto SID from path seems to be: S-1-5-21-3184696595-1076132136-4192682506-1212
[masterkey] with password: XXXXX (normal user)
ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password
[backupkey] without DPAPI_SYSTEM:
key : ff13e678bd5d8ff8b2e52b29eb77859e469421d0b6417ff938c6e495172ce91e
sha1: 4f8e5dbee5710e031771118fd01544a80b216e31
Does that mean it won't work with password and do I have to go for the NTLM domain account option?
I made it, just added /protected to the password and then it worked