Data encryption is an important way to protect sensitive information stored on hard drives and other storage media. However, there may be times when you need to recover data from an encrypted drive but no longer have the password or encryption key. This can happen if you forget the password, the key is corrupted, or the person who set up the encryption is no longer available.
While encrypted data is designed to be unreadable without the correct decryption key, it is possible to crack or bypass the encryption given enough time and computing resources. Specialized tools and techniques exist that can allow recovery of data from encrypted drives under the right circumstances.
Factors That Determine Feasibility of Encrypted Data Recovery
Several factors determine whether it will realistically be possible to recover data from an encrypted drive:
Type of Encryption Used
-
Weak encryption algorithms like WEP and ZIP crypto are much easier to break than strong ones like AES-256. The stronger the encryption, the harder recovery becomes.
-
Full disk encryption systems like BitLocker and FileVault 2 are more difficult than file/folder encryption.
Encryption Key Strength
-
The longer and more complex encryption keys are, the harder they are to crack through brute force attacks.
-
128-bit keys offer moderate protection while 256-bit keys are extremely strong against key guessing.
Available Attack Vectors
-
The most successful decryption relies on analyzing encrypted data patterns to deduce the key. Larger sample sizes make attacks more feasible.
-
Access to encrypted volumes increases attack surface area compared to only having encrypted files.
Computational Resources for Attacks
-
Specialized hardware and software can test billions of password guesses per second. More resources make successful key recovery more likely.
-
Cloud computing and harnessing many systems in parallel speed up brute force attacks substantially.
Software Tools for Recovering Data from Encrypted Drives
A number of software tools and services exist aimed at encrypted data recovery:
Disk Decryptor
-
An open source solution for recovering files from encrypted partitions and drives.
-
Supports many encryption algorithms like AES, Serpent, and Twofish.
-
Uses techniques like brute force key attacks and exploiting password weaknesses.
Passware Kit Forensic
-
Designed to access password protected or encrypted files and disks from computers and storage media extracted for forensic investigation.
-
Claims the ability to recover passwords and encryption keys through methods like brute force and dictionary attacks.
-
Also recovers data from damaged media like floppy disks and corrupted hard drives.
AccessData Decryption Toolkit
-
Focused on decrypting and decoding encrypted files and password protected containers.
-
Optimized for speed through GPU acceleration and massive key space searches.
-
Used by law enforcement, government agencies, and corporations for legal investigations and data recovery.
BitRaser File Eraser
-
As well as securely overwriting data to prevent recovery, BitRaser can recover deleted encrypted files through techniques like analyzing encryption headers.
-
Claims high success rates for popular encryption methods like BitLocker, PGP, and OpenSSL.
-
Can restore encrypted Office documents, archives, media files, and more.
Techniques Used for Encrypted Data Recovery
Some of the key techniques and methods used by data recovery software for retrieving encrypted data without keys or passwords include:
Brute Forcing Encryption Keys
-
This involves systematically testing every possible key until the correct one is found that properly decrypts the data.
-
Success depends on key size, char set, and computational power. GPUs accelerate this massively.
Exploiting Encryption Algorithm Weaknesses
-
Weak ciphers like WEP and RC4 have mathematical quirks that allow shortcut attacks against the key.
-
Stream ciphers are vulnerable to known plaintext attacks by comparing patterns in the encrypted vs plain data.
Accessing Encrypted Data Remnants
-
Unencrypted metadata and headers often remain accessible and can provide clues to encryption parameters.
-
Recovery of partial corrupted data on damaged drives can also help deduce keys.
Dictionary Attacks
-
Trying common words, phrases, and combinations as password guesses based on dictionaries and wordlists.
-
Pre-computed hash tables greatly speed up password dictionary attacks.
Social Engineering Methods
- Using personal knowledge, social media info, and background research to make smart password guesses about the encryption owner.
Real World Examples of Encrypted Data Recovery
There are many real world examples where law enforcement, government agencies, and data recovery specialists have managed to successfully retrieve data from encrypted sources after access to keys/passwords was lost:
-
FBI infamously broke into the iPhone 5c of San Bernardino shooter Syed Rizwan Farook by bypassing the device’s encryption without the passcode.
-
Customs officials cracked the FileVault 2 encryption on a seized MacBook Pro laptop through brute forcing the password using specialist hardware.
-
Digital forensics firm DriveSavers was able to recover encrypted files for a client after a house fire using proprietary data recovery and password cracking technology.
-
Penetration testing company Coalfire decrypts lost TrueCrypt containers for clients by leveraging vulnerabilities in outdated versions and weak password guessing.
-
The NSA is rumored to have backdoors into certain commercial encryption algorithms, allowing them to bypass encryption under authority of surveillance programs.
Conclusion
While strong encryption like AES-256 is virtually impossible to crack directly through mathematical attacks with current technology, recovery of lost encrypted data is still possible in many cases with the right tools, resources, and perseverance. Obtaining any small foothold like partial decrypted data or password hints greatly improves the feasibility. But users should not rely on encryption as foolproof protection for their data if the password is weak or otherwise compromised. Proper password security hygiene remains imperative for robust protection of sensitive encrypted data.
