Difference between revisions of "Windows Encrypted File System"

From Forensics Wiki
Jump to: navigation, search
m (Recovering an EFS Key)
(Added Bitlocker)
Line 8: Line 8:
 
In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.
 
In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.
  
In Windows XP and beyond there is no default recovery agent.  
+
In Windows XP and beyond there is no default recovery agent.
 +
 
 +
EFS can be used in conjunction with [[BitLocker]] if desired.
  
 
=Recovering an EFS Key=
 
=Recovering an EFS Key=

Revision as of 11:30, 24 February 2007

EFS is the Cryptographic File System that is build into Microsoft Windows.

Windows can encrypt files on an EFS volume by file, by directory, or by by the entire volume. Encryption is done using a certificate. The certificate itself is saved on the encrypted volume, but it is encrypted with a password. Volumes can be configured so that they can be recovered using one of several certificates---for example, a recovery certificate belonging to the organization that owns the computer.

How it works

The first time EFS is used windows creates a symmetric File Encryption Key (FEK). Windows then creates an RSA public/private key pair that is used to encrypt the EFS. The private key is then encrypted with a hash of the user's passphrase and username. The FEK can also be encrypted with the organization's public key. Microsoft calls this second key a "Recovery Agent."

In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.

In Windows XP and beyond there is no default recovery agent.

EFS can be used in conjunction with BitLocker if desired.

Recovering an EFS Key

Several tools are available that can recover an EFS key or volume if the original encryption key (or passphrase) are lost. These include:

  • EFS key from Passware
  • Advanced EFS Data Recovery from Elcomsoft http://www.elcomsoft.com/aefsdr.html
  • EnCase Forensic (Can perform a brute-force attack on the user's passphrase.)
  • Winhex forensic (Can also perform a brute-force attack on the user's passphrase.)

Other References

http://www.beginningtoseethelight.org/efsrecovery