Forensics
recovery/forensics of NTFS encrypted folder. Dec 31 2006 03:35PM
Rikard Johnels (rikard j rikjoh com) (2 replies)
Re: recovery/forensics of NTFS encrypted folder. Jan 02 2007 07:09AM
Chetan Gupta (chetan gupta niiconsulting com) (1 replies)
Re: recovery/forensics of NTFS encrypted folder. Jan 04 2007 06:51PM
farmerdude (subscribe crazytrain com) (1 replies)
Re: recovery/forensics of NTFS encrypted folder. Jan 04 2007 07:53PM
Rikard Johnels (rikard j rikjoh com)
On Thursday 04 January 2007 19:51, farmerdude wrote:
> Hi,
>
> I might have missed a post, and I apologize if I have, but didn't I read
> the original poster has "a drive" where there's a directory with
> EFS-encrypted files? Is this an image or a copy of the original drive?
> I guess I got lost where the system disk was wiped, but he/she has a
> drive ...
>
> How did this directory with these EFS-encrypted files get to this other
> drive?
>
> If we know more we might be able to offer more assistance.
>
> regards,
>
> farmerdude
>
> On Tue, 2007-01-02 at 12:39 +0530, Chetan Gupta wrote:
> > Dear Richard,
> >
> > You could try EFS key from Passware but to retrieve the files, the
> > encryption password must be known or SAM database must be present.
> >
> > There is also Advanced EFS Data Recovery from Elcomsoft available at
> > http://www.elcomsoft.com/aefsdr.html
> > But again it requires the EFS key to be present or the user password and
> > syskey to be known to the user.
> >
> > HTH
> >
> > Chetan Gupta
>
> --
> [This E-mail scanned for viruses by Declude Virus]

The disk in question is a USB mounted external drive.
On it is a NTFS filesystem.
On that file system is a folder that is encrypted.
In that folder is a number of files that needs investigating.

Problem: The original workstation system drive that resided in the suspects
own computer is wiped. The USB drive that was used with that workstation is
available.
We MIGHT be able to obtain the eventual passwords, but that is not a
certainty.

--
         /Rikard

------------------------------------------------------------------------
-----
email   : rikard.j (at) rikjoh (dot) com [email concealed]
web     : http://www.rikjoh.com
mob: : +46 (0)763 19 76 25
------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78  46 1C EE 56 >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBFnVsyWdS2eEYc7lYRAkr5AKDL/8onnS6m/CM+VEuGaMTKwIQdyACeJ819
TAdDTGvX+Os0L2fmf5R5O2w=
=CYfF
-----END PGP SIGNATURE-----

[ reply ]
Re: recovery/forensics of NTFS encrypted folder. Jan 02 2007 03:31AM
Bhushan Shah (bhushan niiconsulting com)


 

Privacy Statement
Copyright 2010, SecurityFocus