Recovering Encrypted and Compressed Data

Data compression and encryption are like fashion: they get popular one day, and lose their perceived importance the other day. The cycle repeats itself regularly. Today, data encryption is trendy, while real-time compression is once again out of fashion. Let’s see what types of encryption (and compression) are available to a Windows user, and what you can do if you lost data that was compressed or encrypted.

Recovering Encrypted and Compressed Data

Contents

  1. NTFS Real-Time Compression
  2. Compressed File Recovery Limitations
  3. Self-Compressing Storage Devices
  4. Recovering Encrypted Data
  5. Recovering NTFS-Encrypted Files
  6. Recovering Data from BitLocker Volumes

Let’s start with compression.

NTFS Real-Time Compression

Windows 7, 8, 8.1 as well as some legacy versions of Windows use a highly advanced file system, the NTFS. One of the features of NTFS is the ability to compress files in real time using a fast, stream-enabled compression algorithm. The compression algorithms in NTFS are designed to work transparently for the end user (neither you nor any application will be able to tell that a certain file or folder is compressed unless looking specifically for the “compressed” attribute).

NTFS compression is fast, transparent and convenient. You can compress files individually by changing their advanced attributes; you can also compress folders or the entire drive by modifying their advanced attributes (in which case the compression attribute will become the default for the files inside).

If you want to use compression, note that it’s best suited for small and medium-sized files that tend to compress well (such as a bunch of email messages, log files, text or HTML), infrequently written, usually accessed sequentially, and are not themselves compressed.

The last point is important as it pretty much excludes everything that takes the most space on your hard drive such as pictures, music and videos. Indeed, all videos are already compressed to the highest possible degree. The same can be said about pictures in all common formats (including lossy and lossless compression). Music is also compressed with lossy (MP3, OGG, AC3) or lossless (FLAC, ALAC) compression algorithms. As you see, there’s absolutely no point in compressing folders containing any of those files.

As a matter of fact, compressing your Documents folder is not a good idea either. The “new” Microsoft Office formats (.docx, .xlsx etc.) are in fact XML files compressed into ZIP containers. Enabling NTFS compression on those files (or the entire Documents folder) will not do any good.

Compressing executable files can gain you a few megabytes – at the cost of longer loading times. Finally, compressing system files may render the entire OS unbootable (although Windows is smart enough to protect those files from being compressed).

Compressed File Recovery Limitations

Enough theory. If you are reading this, maybe you had a file, a folder, or the entire partition compressed, and are looking for a tool to recover those files. We have some good news, and some bad news.

The good news is that NTFS-compressed files are recoverable. The bad news is they aren’t recoverable to the same degree as uncompressed files.

While many data recovery tools claim the ability to recover compressed files, such ability may in fact be quite limited. For example, some data recovery tools may not be able to use data carving (a variation of signature-search technique) on NTFS-compressed files. The better tools can, of course, detect the fact that a certain disk cluster has been compressed, and decompress it on the fly to apply signature-search recovery.

Another issue with NTFS-compressed files is higher than usual fragmentation. Windows implementation of file compression allows for fast random access times. However, due to certain design properties of these algorithms, large compressible files may become highly fragmented, which can make the recovery of compressed files larger than 64 KB more difficult compared to recovering non-compressed files. This won’t apply to smaller files (such as email messages).

Looking for a tool to recover NTFS-compressed files? Try RS Partition Recovery Software, a data recovery tool supporting the recovery of compressed files.

Self-Compressing Storage Devices

There is a notable exception from rules mentioned above. Some storage devices such as SSD drives with Sandforce controllers already compress data in background. The idea behind this logic is reducing drive wear (by writing less information into NAND storage cells) while improving performance at the same time. In real life, the idea didn’t work quite as well as was planned, and no other manufacturers (with one or two exceptions) followed the trend.

With regards to data recovery, self-compressing storage devices are completely transparent to applications, the operating system and, most importantly, to data recovery tools. If we’re talking about Sandforce controllers, those used to have a bug in their implementation of TRIM and garbage collection, which resulted in deleted data just sitting there instead of being erased. All this made Sandforce-based SSD drives particularly well suited for the purpose of data recovery (and not so wonderful for other purposes such as actually using the disks).

Recovering Encrypted Data

Encryption is a very general term. Encrypted data can range from password-protected Word documents to entire disk volumes locked with encryption. In this article, we won’t be able to cover everything related to encryption (that would take a book, and not the thinnest one).

Recovering Encrypted Data

Instead, we’ll talk about two distinctly different types of encryption available to Windows users out of the box. These are file-level NTFS encryption and volume-level BitLocker.

Recovering NTFS-Encrypted Files

NTFS is a wonderful file system with may features and extensions. One of such extensions is Encrypting File System (EFS), a part of NTFS specification that provides strong and transparent encryption of files and folders on an NTFS volume. Importantly, EFS only encrypts data on per-file basis, which means that free space will not be specifically targeted for encryption. However, any encrypted files that get lost or deleted will remain on the disk in their encrypted form, even if they are now residing in what appears to be free disk space. Importantly, you cannot encrypt AND compress files with NTFS at the same time as the two options are mutually exclusive.

NTFS encryption works by encrypting files with a bulk symmetric key. This encryption is fully transparent to the user and applications requesting access to encrypted files via the system APIs. However, when accessing encrypted files by reading the disk directly (while bypassing system API’s), you will only see encrypted data that’s very difficult to decrypt without knowing the encryption key and applying the correct decryption algorithm. As a result, many data recovery tools will either fail to recover encrypted files or only apply a half-hearted approach (by e.g. only employing file-system level recovery but omitting low-level scraping and data carving/signature search).

However, in NTFS land, encrypted files are just… files. If something happens to them, and there still is information in the file system about their past whereabouts, you can apply exactly the same tricks to analyze file system records and reinstate the encrypted file in its original entirety. Encryption-aware data recovery tools will then set the “encrypted” attribute on the file to make sure that Windows can recognize the file as encrypted, and decrypts its content once the file is accessed by the user.

Note that NTFS-encrypted files can only be successfully decrypted once their respective owner logs in to their account. If you don’t know the password to the user’s account, resetting that password will effectively render encrypted files inaccessible. Also note that, in order to decrypt NTFS-encrypted files, one can use the current password or prior passwords to that account that were used in the past.

Looking for a tool to recover NTFS-encrypted files? Try RS Partition Recovery Software, a data recovery tool supporting the recovery of encrypted files and folders.

Recovering Data from BitLocker Volumes

BitLocker is Windows native whole-disk encryption system. BitLocker does not work on individual files and folders. Instead, it encrypts the entire disk volume including free disk space (whether or not the entire volume free space is encrypted can be configured when setting up BitLocker).

Recovering Data from BitLocker Volumes

BitLocker volumes can be read by all Windows editions (Windows 7, 8, 8.1 and newer). However, new volumes can be only created in Windows 7 Ultimate and most Windows 8.x systems.

Starting with Windows 8, the main partition (disk C:) is automatically encrypted with BitLocker after the user logs in into their Microsoft Account (given that that Microsoft Account has administrative privileges). If the administrator is using a local Windows account, disk C: is not encrypted by default.

What does this all mean for the purpose of data recovery? It means that your chances of encountering a BitLocker volume are about as high as the chance of encountering a Windows 8 or 8.1 system with the main user logged in with their Microsoft Account.

BitLocker encryption is completely transparent. BitLocker volumes can be accessed in low level with system API’s, which will return unencrypted data. As a result, you can successfully recover information from mounted BitLocker volumes by using the same data recovery tools you would use for recovering a plain, unencrypted partition.

The difficulties begin if your system does not boot, and you’re trying to recover a BitLocker volume that has not been mounted. If you connected the disk to a Windows system, you can mount the BitLocker volume by entering the Recovery Key (don’t know where to enter that key? Don’t worry, Windows will prompt you for it the moment you try accessing a BitLocker volume). You can retrieve your Recovery Key by logging in to your Microsoft Account and using the following link: https://onedrive.live.com/recoverykey

Once there, locate the correct Recovery Key by matching the prompted name to the list of available keys. The BitLocker partition will be mounted.

What if you don’t have access to the Recovery Key? In that case, you really can’t do anything. After all, BitLocker was designed to withstand attacks against unauthorized access.

Looking for a tool to recover BitLocker protected partitions? Try RS Partition Recovery Software, a data recovery tool supporting the recovery of BitLocker-encrypted disks and volumes.

Frequently Asked Questions

If you have forgotten the encryption password, it can be challenging to recover the encrypted data. Encryption is designed to be secure, and without the password, it is nearly impossible to decrypt the data. Your best option would be to try any possible passwords or recovery options you may have set up. If all else fails, you may need to consider the data as permanently lost and focus on preventing such situations in the future by keeping backups and securely storing passwords.
It is highly unlikely to recover compressed data if the compression algorithm used is unknown. Compression algorithms are designed to reduce the size of data by removing redundant information, and the process is irreversible without knowledge of the specific algorithm used. Without the algorithm, it would be extremely difficult, if not impossible, to reconstruct the original data from the compressed version.
Yes, there are specific tools and software available for recovering encrypted and compressed data. Some popular options include data recovery software like EaseUS Data Recovery Wizard, Recuva, and Stellar Data Recovery. These tools can help recover encrypted and compressed data from various storage devices such as hard drives, USB drives, and memory cards. It is important to note that the success of data recovery depends on various factors such as the encryption algorithm used and the level of compression applied.
Some best practices to prevent data loss when dealing with encrypted and compressed files include regularly backing up the files to a secure location, using strong and unique encryption keys or passwords, verifying the integrity of the files before and after compression/encryption, using reliable and reputable compression/encryption software, and keeping the software and operating system up to date with the latest security patches. Additionally, it is important to educate users about safe file handling practices and to implement access controls to limit unauthorized access to the files.
Updated:
5/117
Den Broosen

Written by Den Broosen

Author and site editor for RecoverySoftware. In his articles, he shares his experience of data recovery on a PC and the safe storage of information on hard drives and RAID arrays.
Adam Bean

Approved by Adam Bean

Adam is site editor. He carries more than 12 years of expertise in digital forensics and data recovery. He also continues to research and share the most recent developments in the fields of data recovery and secure storage.
Leave a comment

Related Posts

Recovering data from Oracle VirtualBox virtual machines
Recovering data from Oracle VirtualBox virtual machines
Oracle VM VirtualBox virtual machines store data in *.VDI virtual hard disk files. When virtual machine files become corrupted, it becomes difficult to load the virtual machine data files. Thus, there is a need to recover data files from the … Continue reading
Unix File Systems: UFS1 and UFS2
Unix File Systems: UFS1 and UFS2
Linux File System – ZFS
Linux File System – ZFS
The Linux operating system is quite flexible. It can be used on desktops as well as on servers. The main thing is to choose the correct file system for your needs. In this article, we will look in detail at … Continue reading
Recovering data from XenServer virtual machines
Recovering data from XenServer virtual machines
How to recover data from XenServer virtual machines? As a result of our actions or a hypervisor failure, we may lose a virtual machine. It may fail to start, become corrupted, or its virtual disk may disappear. The XenServer Xen … Continue reading
Online Chat with Recovery Software