Forensics
Re: recovery/forensics of NTFS encrypted folder. Jan 03 2007 03:48PM
Chetan Gupta (chetan gupta niiconsulting com) (2 replies)
Dear Richard,
I haven't tried it yet but should be worth trying out. Let me tell you
my understanding of how EFS works. When a user encrypts a file using EFS
for the first time, then a public/private key pair is generated and a
FEK (File Encryption Key) is generated. This FEK is a symmetric key
which is used to encrypt the file. This FEK is then encrypted with the
public key of the user (also known as Recovery Agent) and this encrypted
FEK is then stored in the header of the file. When the file is opened,
the user's private key is used to decrypt the FEK, and the FEK in turn
is used to decrypt the file. The whole process is transparent to the
user. Also, the user may wish to install more than one recovery agent.

Quoting Microsoft, "A Recovery Agent is a user who is authorized to
decrypt files belonging to other users. The chief use of this feature is
to allow files to be decrypted in the event that the original owner
loses the key. Whenever a file is encrypted by EFS, EFS also creates a
copy of the key that is accessible by the Recovery Agent. By default,
administrators are Recovery Agents - the local administrator in the case
of a local user, and the domain administrator in the case of a domain
user. However, the list of Recovery Agents can be customized via
security policy."

In Windows 2000, the administrator is by default the recovery agent,
capable of decrypting all files encrypted in EFS. In Windows XP and on,
there are no default recovery agents i.e only the owner is the default
recovery agent. In Windows XP and beyond, the private key is encrypted
using the hash of the user's password and user name, and therefore it is
impossible to recover the private key without knowing the user's
password. If syskey protection is enabled in any of the two higher modes
of security, then resetting the user password won't allow you access to
the private key since the key would be encrypted with the original
password's hash (in Win XP). However in Win2K, as far as my knowledge
goes, the keys are not encrypted using the hash and so resetting the
password would allow you access to the private key of the user.

In a nutshell, you do need the private key of the recovery agent to
decrypt EFS files. Now in your case, you have the password but no
private key, so it would be really difficult (read next to impossible)
to decrypt the data. Alternate approaches that may be suggested are
that you copy the data to a FAT drive so that the encryption attribute
is removed automatically. or you brute force the FEK encryption. But I
guess that would work only if you are the owner of the file and when the
file is being copied, the file is decrypted first and then copied to the
FAT drive. But if you are not the owner, I guess all you will get is
garbage data since there won't be any automatic decryption.
Brute-forcing may be computationally infeasible or take ages to succeed
nullifying the whole idea of decryption.

I don't know how much of this was of help to you but do correct me if I
was wrong anywhere.

Cheers,

Chetan G

--
Chetan Gupta GCFA, CEH, CCNA, CIW Sec. Analyst
Head, Forensic Services
NII Consulting Pvt. Ltd.

Email: chetan.gupta (at) niiconsulting (dot) com [email concealed]
Mobile: +91 9867780965
Web: www.niiconsulting.com

------------------------------------------------------
Online Computer Forensics Magazine
http://www.niiconsulting.com/checkmate

Comprehensive Incident Response and Forensics Services
http://www.niiconsulting.com/services/liveresponse.html
------------------------------------------------------

Rikard Johnels wrote:
> On Tuesday 02 January 2007 08:09, you wrote:
>
>> Dear Richard,
>>
>> You could try EFS key from Passware but to retrieve the files, the
>> encryption password must be known or SAM database must be present.
>>
>>
> Will this retrieve the key if the password is known?
> And thus enable us to recover and investigate the data?
> The SAM is destroyed by the wipe done prior to us receiving the drive.
> The password might be available.
>
>
>
>> There is also Advanced EFS Data Recovery from Elcomsoft available at
>> http://www.elcomsoft.com/aefsdr.html
>> But again it requires the EFS key to be present or the user password and
>> syskey to be known to the user.
>>
>> HTH
>>
>> Chetan Gupta
>>
>
>

--
Chetan Gupta GCFA, CEH, CCNA, CIW Sec. Analyst
Head, Forensic Services
NII Consulting Pvt. Ltd.

Email: chetan.gupta (at) niiconsulting (dot) com [email concealed]
Mobile: +91 9867780965
Web: www.niiconsulting.com

------------------------------------------------------
Online Computer Forensics Magazine
http://www.niiconsulting.com/checkmate

Comprehensive Incident Response and Forensics Services
http://www.niiconsulting.com/services/liveresponse.html
------------------------------------------------------

[ reply ]
RE: recovery/forensics of NTFS encrypted folder. Jan 05 2007 06:03PM
Fernandes, Alfred F CTR NCTAMS PAC, N93 (alfred fernandes ctr navy mil)
Re: recovery/forensics of NTFS encrypted folder. Jan 04 2007 04:45PM
mcardenas criminalistica cl


 

Privacy Statement
Copyright 2010, SecurityFocus