Forensics
Re: recovery/forensics of NTFS encrypted folder. Jan 02 2007 08:29PM
levinson_k securityadmin info (1 replies)
I believe cracking EFS encrypted files is not going to likely here, unless you were able to somehow recover the deleted user profiles from the wiped version of Windows from the disk, from the domain (if it was joined to a domain) or from a backup. How exactly was the disk "wiped?"

Good information on decrypting EFS files is at www.beginningtoseethelight.org/efsrecovery, starting with the links to the commercial tools that claim to be able to attempt to brute force EFS. I'm not sure if you will have success or not, or how quickly. I haven't yet heard of anyone that has had success with these products when the key is lost.

Microsoft reportedly has a tool that can help recover encryption keys to decrypt EFS files if you pay the $100 to $300 US for a tech support call to them, using the phone numbers at www.microsoft.com/support, and there are the manual procedures listed at beginningtoseethelight.org. But I believe these methods generally require having the keys from the user profile that encrypted the files.

You could choose to pay a disk recovery firm to attempt to recover the keys from the wiped disk. I understand this could cost $1000 or more with no guarantees of data recovery.

kind regards,
Karl Levinson
http://securityadmin.info

[ reply ]
Physically damaged SD card Jan 04 2007 06:33PM
Michael Edwards (medwards digital-legal com) (3 replies)
Re: Physically damaged SD card Jan 05 2007 04:44AM
Raymond C. Parks (rcparks comcast net)
Re: Physically damaged SD card Jan 04 2007 08:43PM
zoli kincses (kincses caesar elte hu)
RE: Physically damaged SD card Jan 04 2007 08:19PM
Ackley, Ray (R.J.) (rackley ford com)


 

Privacy Statement
Copyright 2010, SecurityFocus