Re: copying encrypted flag
Very bad. Each file has its own random encryption key. The missing stream contains the original encryption key, encrypted with public keys of all people allowed to get the encryption key and decrypt the file. The encryption key is random because each file has its own set of allowed readers.
If that is the case then I should pretty much forget about recovering anything. However, when I do go back and look at the inodes of other encrypted files, I realize that they all have pretty much the same inode entries:
Dumping attribute $LOGGED_UTILITY_STREAM (0x100) from mft record 22940 (0x599c)
Attribute name: '$EFS'
Attribute flags: 0x0000
Attribute instance: 4 (0x4)
Data size: 568 (0x238)
Resident flags: 0x00
Where is the encrypted encryption key stored in this stream? I guess this dump does not actually print that. I believe that this program never recovered this inode entry so I have pretty much no hope :-(.
So you have double encrypted the file with a new random encryption key, and with your private key you can get it from the new LOGGED_UTILITY_STREAM and make your file single encrypted. This is probably not what you wanted.
The double encryption was just a try. I read somewhere that double encryption is not possible so I thought maybe the system intelligently recognized something, but I guess it does not. And if the random encryption key is missing then there is no hope.
Your other post had said:
"AFAIK most encryption metadata are appended to the file itself : the signature and the symmetric encryption key encrypted with the public keys of all users allowed to decrypt. The secret keys needed to decrypt the symmetric key are withheld by their owners and are not associated to the file."
This gave me the hope that all the data is in the file itself and if the file is recovered, everything is recovered and since I have the certificate so I am all set. I guess that is not the case then.
BTW I tried the patch from your other post but I guess that also does not restore the EFS flag.