Recover HDD Data
 
Blog
 
Recovering Encrypted and Compressed Data

Recovering Encrypted and Compressed Data

Data compression and encryption are like fashion: they get popular one day, and lose their perceived importance the other day. The cycle repeats itself regularly. Today, data encryption is trendy, while real-time compression is once again out of fashion. Let’s see what types of encryption (and compression) are available to a Windows user, and what you can do if you lost data that was compressed or encrypted.

Recovering Encrypted and Compressed Data

Let’s start with compression.

NTFS Real-Time Compression

Windows 7, 8, 8.1 as well as some legacy versions of Windows use a highly advanced file system, the NTFS. One of the features of NTFS is the ability to compress files in real time using a fast, stream-enabled compression algorithm. The compression algorithms in NTFS are designed to work transparently for the end user (neither you nor any application will be able to tell that a certain file or folder is compressed unless looking specifically for the “compressed” attribute).

NTFS compression is fast, transparent and convenient. You can compress files individually by changing their advanced attributes; you can also compress folders or the entire drive by modifying their advanced attributes (in which case the compression attribute will become the default for the files inside).

If you want to use compression, note that it’s best suited for small and medium-sized files that tend to compress well (such as a bunch of email messages, log files, text or HTML), infrequently written, usually accessed sequentially, and are not themselves compressed.

The last point is important as it pretty much excludes everything that takes the most space on your hard drive such as pictures, music and videos. Indeed, all videos are already compressed to the highest possible degree. The same can be said about pictures in all common formats (including lossy and lossless compression). Music is also compressed with lossy (MP3, OGG, AC3) or lossless (FLAC, ALAC) compression algorithms. As you see, there’s absolutely no point in compressing folders containing any of those files.

As a matter of fact, compressing your Documents folder is not a good idea either. The “new” Microsoft Office formats (.docx, .xlsx etc.) are in fact XML files compressed into ZIP containers. Enabling NTFS compression on those files (or the entire Documents folder) will not do any good.

Compressing executable files can gain you a few megabytes – at the cost of longer loading times. Finally, compressing system files may render the entire OS unbootable (although Windows is smart enough to protect those files from being compressed).

Compressed File Recovery Limitations

Enough theory. If you are reading this, maybe you had a file, a folder, or the entire partition compressed, and are looking for a tool to recover those files. We have some good news, and some bad news.

The good news is that NTFS-compressed files are recoverable. The bad news is they aren’t recoverable to the same degree as uncompressed files.

While many data recovery tools claim the ability to recover compressed files, such ability may in fact be quite limited. For example, some data recovery tools may not be able to use data carving (a variation of signature-search technique) on NTFS-compressed files. The better tools can, of course, detect the fact that a certain disk cluster has been compressed, and decompress it on the fly to apply signature-search recovery.

Read more:  Recovering Fragmented Files

Another issue with NTFS-compressed files is higher than usual fragmentation. Windows implementation of file compression allows for fast random access times. However, due to certain design properties of these algorithms, large compressible files may become highly fragmented, which can make the recovery of compressed files larger than 64 KB more difficult compared to recovering non-compressed files. This won’t apply to smaller files (such as email messages).

Looking for a tool to recover NTFS-compressed files? Try RS Partition Recovery Software, a data recovery tool supporting the recovery of compressed files.

Self-Compressing Storage Devices

There is a notable exception from rules mentioned above. Some storage devices such as SSD drives with Sandforce controllers already compress data in background. The idea behind this logic is reducing drive wear (by writing less information into NAND storage cells) while improving performance at the same time. In real life, the idea didn’t work quite as well as was planned, and no other manufacturers (with one or two exceptions) followed the trend.

With regards to data recovery, self-compressing storage devices are completely transparent to applications, the operating system and, most importantly, to data recovery tools. If we’re talking about Sandforce controllers, those used to have a bug in their implementation of TRIM and garbage collection, which resulted in deleted data just sitting there instead of being erased. All this made Sandforce-based SSD drives particularly well suited for the purpose of data recovery (and not so wonderful for other purposes such as actually using the disks).

Recovering Encrypted Data

Encryption is a very general term. Encrypted data can range from password-protected Word documents to entire disk volumes locked with encryption. In this article, we won’t be able to cover everything related to encryption (that would take a book, and not the thinnest one).

Recovering Encrypted Data

Instead, we’ll talk about two distinctly different types of encryption available to Windows users out of the box. These are file-level NTFS encryption and volume-level BitLocker.

Recovering NTFS-Encrypted Files

NTFS is a wonderful file system with may features and extensions. One of such extensions is Encrypting File System (EFS), a part of NTFS specification that provides strong and transparent encryption of files and folders on an NTFS volume. Importantly, EFS only encrypts data on per-file basis, which means that free space will not be specifically targeted for encryption. However, any encrypted files that get lost or deleted will remain on the disk in their encrypted form, even if they are now residing in what appears to be free disk space. Importantly, you cannot encrypt AND compress files with NTFS at the same time as the two options are mutually exclusive.

NTFS encryption works by encrypting files with a bulk symmetric key. This encryption is fully transparent to the user and applications requesting access to encrypted files via the system APIs. However, when accessing encrypted files by reading the disk directly (while bypassing system API’s), you will only see encrypted data that’s very difficult to decrypt without knowing the encryption key and applying the correct decryption algorithm. As a result, many data recovery tools will either fail to recover encrypted files or only apply a half-hearted approach (by e.g. only employing file-system level recovery but omitting low-level scraping and data carving/signature search).

However, in NTFS land, encrypted files are just… files. If something happens to them, and there still is information in the file system about their past whereabouts, you can apply exactly the same tricks to analyze file system records and reinstate the encrypted file in its original entirety. Encryption-aware data recovery tools will then set the “encrypted” attribute on the file to make sure that Windows can recognize the file as encrypted, and decrypts its content once the file is accessed by the user.

Read more:  Recovering Data from Failed Samsung EVO SSD’s

Note that NTFS-encrypted files can only be successfully decrypted once their respective owner logs in to their account. If you don’t know the password to the user’s account, resetting that password will effectively render encrypted files inaccessible. Also note that, in order to decrypt NTFS-encrypted files, one can use the current password or prior passwords to that account that were used in the past.

Looking for a tool to recover NTFS-encrypted files? Try RS Partition Recovery Software, a data recovery tool supporting the recovery of encrypted files and folders.

Recovering Data from BitLocker Volumes

BitLocker is Windows native whole-disk encryption system. BitLocker does not work on individual files and folders. Instead, it encrypts the entire disk volume including free disk space (whether or not the entire volume free space is encrypted can be configured when setting up BitLocker).

Recovering Data from BitLocker Volumes

BitLocker volumes can be read by all Windows editions (Windows 7, 8, 8.1 and newer). However, new volumes can be only created in Windows 7 Ultimate and most Windows 8.x systems.

Starting with Windows 8, the main partition (disk C:) is automatically encrypted with BitLocker after the user logs in into their Microsoft Account (given that that Microsoft Account has administrative privileges). If the administrator is using a local Windows account, disk C: is not encrypted by default.

What does this all mean for the purpose of data recovery? It means that your chances of encountering a BitLocker volume are about as high as the chance of encountering a Windows 8 or 8.1 system with the main user logged in with their Microsoft Account.

BitLocker encryption is completely transparent. BitLocker volumes can be accessed in low level with system API’s, which will return unencrypted data. As a result, you can successfully recover information from mounted BitLocker volumes by using the same data recovery tools you would use for recovering a plain, unencrypted partition.

The difficulties begin if your system does not boot, and you’re trying to recover a BitLocker volume that has not been mounted. If you connected the disk to a Windows system, you can mount the BitLocker volume by entering the Recovery Key (don’t know where to enter that key? Don’t worry, Windows will prompt you for it the moment you try accessing a BitLocker volume). You can retrieve your Recovery Key by logging in to your Microsoft Account and using the following link: https://onedrive.live.com/recoverykey

Once there, locate the correct Recovery Key by matching the prompted name to the list of available keys. The BitLocker partition will be mounted.

What if you don’t have access to the Recovery Key? In that case, you really can’t do anything. After all, BitLocker was designed to withstand attacks against unauthorized access.

Looking for a tool to recover BitLocker protected partitions? Try RS Partition Recovery Software, a data recovery tool supporting the recovery of BitLocker-encrypted disks and volumes.