Windows Encrypted File System

From Forensics Wiki
Revision as of 19:04, 29 December 2008 by Netstat (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

EFS is the Cryptographic File System that is build into Microsoft Windows.

Windows can encrypt files on an EFS volume by file, by directory, or by the entire volume. Encryption is done using a certificate. The certificate itself is saved on the encrypted volume, but it is encrypted with a password. Volumes can be configured so that they can be recovered using one of several certificates — for example, a recovery certificate belonging to the organization that owns the computer.


How it works

The first time EFS is used Windows creates a symmetric File Encryption Key (FEK). Windows then creates an RSA public/private key pair that is used to encrypt the FEK. The private key is then encrypted with a hash of the user's passphrase and username. The FEK can also be encrypted with the organization's public key. Microsoft calls this second key a "Recovery Agent".

In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.

In Windows XP and beyond there is no default recovery agent.

EFS can be used in conjunction with BitLocker if desired.

Recovering an EFS Key

Several tools are available that can recover an EFS key or volume if the original encryption key (or passphrase) are lost. These include:

  • EFS key from Passware;
  • Advanced EFS Data Recovery from Elcomsoft (;
  • EnCase Forensic (can perform a brute-force attack on the user's passphrase);
  • WinHex Forensic (can also perform a brute-force attack on the user's passphrase).


It is possible to decrypt files using ntfsdecrypt tool. In this case, you should get the private key first (by running cipher /x filename.pfx on a Windows system).

Other References