[R-Studio] .$efs files – what are they, why are they there ?

A forum on data recovery using the professional data recovery software R-STUDIO.
abolibibelot
Posts: 13
Joined: Sun Jan 31, 2016 5:45 pm

[R-Studio] .$efs files – what are they, why are they there ?

Post by abolibibelot » Tue Sep 19, 2017 1:34 am

On recovering files from a ddrescue image of a failing 1TB system HDD with R-Studio 8.2, I got many, I mean *many* files with a .$efs extension, which do not appear in R-Studio recovery tree, and their timestamps correspond to the time of the extraction. Apparently those files are related to the EFS encryption system, but so far that's all I know. What exactly are those files ? Are they necessary to read/access the files of the same names to which they are associated ? And if not, is there a way to prevent R-Studio from creating them and adding unnecessary clutter to the recovery of a complete file tree ? What is the particularity of those files which have .$efs files associated to them, compared with all the others which do not ?
They do not appear to be encrypted, they're still readable if I remove the corresponding .$efs file, they appear just like regular files of a given type if I look at them with an hexadecimal editor directly on the image file, I can not see any specific pattern. There are thousands of them, with the bulk located in the Windows directory, but some can also be found in the "Users" directory. The HDD is not mine so I don't know how it was configured with regards to formatting and whatnot. I just read in R-Studio' FAQ that those files were expected to appear when extracting to a FAT32 volume, but that's not the case at all here, all the partitions used for that recovery are formatted in NTFS.
Thanks in advance for you kind comments.
Gabriel, France
You do not have the required permissions to view the files attached to this post.

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: [R-Studio] .$efs files – what are they, why are they the

Post by Alt » Thu Sep 28, 2017 1:37 pm

As far as I understand, those files contains certificate files used to encrypt files in efs.

abolibibelot
Posts: 13
Joined: Sun Jan 31, 2016 5:45 pm

Re: [R-Studio] .$efs files – what are they, why are they there ?

Post by abolibibelot » Mon Oct 02, 2017 3:30 am

The question is : why does R-Studio create those files which do not appear in the recovery tree, whenever I extract the files to which they are associated ? Where would those certificates come from ?
And are those .efs files somehow necessary for the integrity of the files associated to them, or can I safely remove them ? Again, if they can safely be removed, why would they be created in the first place ?

(I put a screenshot but it was removed, apparently PNG files are not authorized, another weird thing in this weird world...)

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: [R-Studio] .$efs files – what are they, why are they there ?

Post by Alt » Mon Oct 02, 2017 10:45 am

abolibibelot wrote:
Mon Oct 02, 2017 3:30 am
(I put a screenshot but it was removed, apparently PNG files are not authorized, another weird thing in this weird world...)
A small bug from the forum upgrade. Now fixed.

abolibibelot
Posts: 13
Joined: Sun Jan 31, 2016 5:45 pm

Re: [R-Studio] .$efs files – what are they, why are they there ?

Post by abolibibelot » Fri Oct 06, 2017 5:45 am

So... nobody has any clue regarding my initial question ?

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: [R-Studio] .$efs files – what are they, why are they there ?

Post by Alt » Fri Oct 06, 2017 11:08 am

Did you enable encryption on the disks the recovered files were saved to? If not, that is why those files appeared. When you copy those files on an NTFS disk with encryption enabled, they'll disappear and the files will become encrypted.

abolibibelot
Posts: 13
Joined: Sun Jan 31, 2016 5:45 pm

Re: [R-Studio] .$efs files – what are they, why are they there ?

Post by abolibibelot » Fri Oct 06, 2017 3:47 pm

Did you enable encryption on the disks the recovered files were saved to? If not, that is why those files appeared. When you copy those files on an NTFS disk with encryption enabled, they'll disappear and the files will become encrypted.
As I said in the first post, “the HDD is not mine so I don't know how it was configured”. The owner is as computer-illiterate as you can imagine, so I don't think that he enabled any kind of encryption himself. (He should have made backups before that, so that he wouldn't need me to save his ass with a little help from ddrescue, R-Studio and a few other brilliant tools ! :^p The HDD was in a really bad condition, clicking and whirring and bleeping every now and then, yet I managed to recover almost 100% of the personal files.) The machine on which that HDD was installed is apparently an integrated PC from Hewlett-Packard (there is a “hp” directory at the root), so maybe it was configured by the manufacturer with EFS encryption enabled. The strange thing in that case is that only some kinds of files have .$efs files associated to them, and I can't identify a specific pattern. Most of them are in the “Windows” directory, but there are also a few in the Program* directories, or even the Users directory ; there are many .dll or .exe files, but not all of them, and there are almost no .jpg files but there are some of them...
I made a list with the command :

Code: Select all

FOR /R %F in (*.$efs) do echo S:%~pF%~nF%~xF >>T:\liste_efs.txt
There are 15947 .$efs files in total in this recovery. The client will still be happy (I guess), anyway the “Windows” directory can later be deleted entirely, as it normally doesn't contain personal files, but I'd like to understand the issue, in case this happens again.
Also, could it be related to the other issue I asked about yesterday, regarding the “invalid data to decompress” error ? Does that error imply that the affected files were encrypted ? How could I verify this ? I still have the ddrescue image of the original HDD. If for instance I check the “dwusplay.exe” file (see the screenshot in the first post) in R-Studio's data analyzer, it says that it begins at sector 31305504, and then if I open the image file in WinHex and go to sector 31305504 of that partition, it displays the actual content of that file with the correct executable header, and no apparent encryption that should (I think) be apparent when accessing the volume at “low level” like this. (The very same content is displayed in R-Studio's own hexadecimal viewer, by the way, I just wanted to double-check, in case R-Studio would have somehow decrypted the file on the fly.)

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: [R-Studio] .$efs files – what are they, why are they there ?

Post by Alt » Tue Oct 10, 2017 4:42 pm

Check whether those original files (not .$efs files) are encrypted. If not, those .$efs files may be attributes of the transactional NTFS, and they can be deleted.

Post Reply