How to perform encrypted file recovery

This article discusses encrypted file recovery, the challenges, and the prospects for recovery.

Microsoft encryption warning message
Microsoft encryption warning message

There are many reasons why passwords are applied to business files. These include privacy and tamper protection. However, encryption can prevent legitimate business access also. This article discusses encrypted file recovery, the challenges, and the prospects for recovery.

Most businesses use PDF, ZIP and Microsoft Office including Word and Excel to process, store and compress documents. These all have the ability to encrypt and decrypt files using a symmetric cipher (this means the same password is used to both encrypt and decrypt the file).

The amount of effort required to circumvent this security mechanism is generally considered to be based on the key space and the strength of the algorithm used. But this is not true and I’ll explain why further on but let’s keep this simple for now.

Key space

4 digit key space

As an example, the bike combination lock above has an finite number of sequences (the key space) and only one will work. The number of combinations and the amount of effort or time required will deter most bicycle thieves. It far easier to wait for another cyclist with a higher risk tolerance to park up. It’s the same with passwords: the length and the complexity are critical at preventing access.

Algorithm strength

Old padlock
Old padlock - past it's use by date!

Modern cryptographic algorithms are robust and breaking them directly is very difficult. If you don’t use a modern cryptographic algorithm or one that is relatively weak as with the old padlock above a thief will simply cut it in half using a modern bolt-cutters which are relatively cheap to purchase.

Why might you need to recover access to encrypted files?

The recovery of encrypted files is generally driven by necessity either operational, legal or regulatory. Most cases are in support of e-discovery searches where encrypted files have been recovered but the company does not have the corresponding password. Such e-discovery searches are used to support litigation or regulatory searches. Under some circumstances there’s an operational need either because someone lost a password or because a disgruntled member of staff has left and encrypted some critical files. In most cases operational access can be recovered by restoring from a “last known good backup”.

Challenges with decrypting files

Most businesses simply let staff use strong cryptography as they see fit with little or no restrictions. A lot of companies do this but there are risks. It means that passwords selected are not centrally managed making recovery difficult. Individuals have various methods of passwords storage ranging from notebooks, Excel and best of all password managers. However, when staff leave their data is either taken with them or their passwords are simply lost or beyond access.
Another key point to make is that staff may choose poor passwords that are easy to share or type into a mobile phone and text. This means that the key space mentioned above is drastically reduced so much so that it enables the possibility of recovery.

To recover files, most firms, will resort to either off the shelf software or a cloud-based service. Specialist software may help you but to be effective you need to know how best to use the software and to combine it with specialist hardware and knowledge. Kali linux has a host of excellent packages that may be able to help.

Cloud based encrypted file recovery services are routinely provided from locations where the rule of law and in particular cyber laws and data privacy laws are weak. It’s cheap for a reason. You need to balance your needs against the risk associated.

It is also worth mentioning that if data has been encrypted with Ransomware then unless there is an available recovery utility then recover is probably not possible.

How IT Security Locksmith can help

If you have files that have been encrypted by a member of staff then IT Security Locksmith provide a premium service designed to support your Operations, Cyber Security or e-Discovery processes.
Benefits:
• Processing all performed in the UK / EU
• Due diligence supported
• Non-disclosure agreement available
• Service contract available
• Report available on effort expended to attempt recovery

Prospects for recovery

In general, approximately 70% of files can be recovered with the other 30% being in the category "the amount of time and effort is not cost effective or timely". The majority of the 70% are broken within 10 business days and the remainder taking a further 15 business days to fully process.

"There is no guarantee of recovery!"

Get in touch

If you have any enquiries or require more information please email: contact@itsecuritylocksmith.co.uk.