Forensics
Re: recovery/forensics of NTFS encrypted folder. Jan 03 2007 03:48PM
Chetan Gupta (chetan gupta niiconsulting com) (2 replies)
RE: recovery/forensics of NTFS encrypted folder. Jan 05 2007 06:03PM
Fernandes, Alfred F CTR NCTAMS PAC, N93 (alfred fernandes ctr navy mil)
Re: recovery/forensics of NTFS encrypted folder. Jan 04 2007 04:45PM
mcardenas criminalistica cl
Dear Richard.

You can try to use some programs for recover the efs key (master key of
efs encription system used for save data into hard disk)

if you have access to encase forensic, or winhex forensic its process can
be recover automatically for you, the efs (encripted file system) used in
ntfs folder, files can be broken easyly with a good machine (PIV 3.00Ghz
with 2G ram)

have a nice day,
Mario Cardenas

En Respuesta A: Chetan Gupta
> Dear Richard,
> I haven't tried it yet but should be worth trying out. Let me tell you
> my understanding of how EFS works. When a user encrypts a file using EFS
> for the first time, then a public/private key pair is generated and a
> FEK (File Encryption Key) is generated. This FEK is a symmetric key
> which is used to encrypt the file. This FEK is then encrypted with the
> public key of the user (also known as Recovery Agent) and this encrypted
> FEK is then stored in the header of the file. When the file is opened,
> the user's private key is used to decrypt the FEK, and the FEK in turn
> is used to decrypt the file. The whole process is transparent to the
> user. Also, the user may wish to install more than one recovery agent.
>
> Quoting Microsoft, "A Recovery Agent is a user who is authorized to
> decrypt files belonging to other users. The chief use of this feature is
> to allow files to be decrypted in the event that the original owner
> loses the key. Whenever a file is encrypted by EFS, EFS also creates a
> copy of the key that is accessible by the Recovery Agent. By default,
> administrators are Recovery Agents - the local administrator in the case
> of a local user, and the domain administrator in the case of a domain
> user. However, the list of Recovery Agents can be customized via
> security policy."
>
> In Windows 2000, the administrator is by default the recovery agent,
> capable of decrypting all files encrypted in EFS. In Windows XP and on,
> there are no default recovery agents i.e only the owner is the default
> recovery agent. In Windows XP and beyond, the private key is encrypted
> using the hash of the user's password and user name, and therefore it is
> impossible to recover the private key without knowing the user's
> password. If syskey protection is enabled in any of the two higher modes
> of security, then resetting the user password won't allow you access to
> the private key since the key would be encrypted with the original
> password's hash (in Win XP). However in Win2K, as far as my knowledge
> goes, the keys are not encrypted using the hash and so resetting the
> password would allow you access to the private key of the user.
>
> In a nutshell, you do need the private key of the recovery agent to
> decrypt EFS files. Now in your case, you have the password but no
> private key, so it would be really difficult (read next to impossible)
> to decrypt the data. Alternate approaches that may be suggested are
> that you copy the data to a FAT drive so that the encryption attribute
> is removed automatically. or you brute force the FEK encryption. But I
> guess that would work only if you are the owner of the file and when the
> file is being copied, the file is decrypted first and then copied to the
> FAT drive. But if you are not the owner, I guess all you will get is
> garbage data since there won't be any automatic decryption.
> Brute-forcing may be computationally infeasible or take ages to succeed
> nullifying the whole idea of decryption.
>
> I don't know how much of this was of help to you but do correct me if I
> was wrong anywhere.
>
> Cheers,
>
> Chetan G
>
> --
> Chetan Gupta GCFA, CEH, CCNA, CIW Sec. Analyst
> Head, Forensic Services
> NII Consulting Pvt. Ltd.
>
> Email: chetan.gupta (at) niiconsulting (dot) com [email concealed]
> Mobile: +91 9867780965
> Web: www.niiconsulting.com
>
> ------------------------------------------------------
> Online Computer Forensics Magazine
> http://www.niiconsulting.com/checkmate
>
> Comprehensive Incident Response and Forensics Services
> http://www.niiconsulting.com/services/liveresponse.html
> ------------------------------------------------------
>
>
>
>
>
> Rikard Johnels wrote:
>> On Tuesday 02 January 2007 08:09, you wrote:
>>
>>> Dear Richard,
>>>
>>> You could try EFS key from Passware but to retrieve the files, the
>>> encryption password must be known or SAM database must be present.
>>>
>>>
>> Will this retrieve the key if the password is known?
>> And thus enable us to recover and investigate the data?
>> The SAM is destroyed by the wipe done prior to us receiving the drive.
>> The password might be available.
>>
>>
>>
>>> There is also Advanced EFS Data Recovery from Elcomsoft available at
>>> http://www.elcomsoft.com/aefsdr.html
>>> But again it requires the EFS key to be present or the user password
>>> and
>>> syskey to be known to the user.
>>>
>>> HTH
>>>
>>> Chetan Gupta
>>>
>>
>>
>
> --
> Chetan Gupta GCFA, CEH, CCNA, CIW Sec. Analyst
> Head, Forensic Services
> NII Consulting Pvt. Ltd.
>
> Email: chetan.gupta (at) niiconsulting (dot) com [email concealed]
> Mobile: +91 9867780965
> Web: www.niiconsulting.com
>
> ------------------------------------------------------
> Online Computer Forensics Magazine
> http://www.niiconsulting.com/checkmate
>
> Comprehensive Incident Response and Forensics Services
> http://www.niiconsulting.com/services/liveresponse.html
> ------------------------------------------------------
>
>
>
>
>

Saluda Atentamente a Ud.

Mario Cardenas S.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus