Question about brute forcing EFS...

From: Ed Moyle (emoyleat_private)
Date: Thu Sep 12 2002 - 09:44:13 PDT

Next message: Seth Arnold: "Re: DD -> Netcat NT Imaging"

Previous message: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Next in thread: Eoghan Casey: "Re: Question about brute forcing EFS..."
Reply: Eoghan Casey: "Re: Question about brute forcing EFS..."
Reply: Ed Moyle: "RE: Question about brute forcing EFS..."
Reply: Schmidt, Raemarie: "RE: Question about brute forcing EFS..."
Reply: Ed Moyle: "RE: Question about brute forcing EFS..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good afternoon,

I have noticed several articles recently in various literature highlighting the usefulness of brute-forcing Microsoft EFS in situations where it is used on a disk that is undergoing examination.  I am curious:  why is the SOP to brute-force the EFS data (a laborous and time-consuming procedure) when mechanisms exist in most situations (75-90%) to go *around* EFS entirely to view the data (a 5 minute procedure)?  I would think that this would reduce the effort associated with these investigations by a large proportion.  

Regards,
-Ed



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Seth Arnold: "Re: DD -> Netcat NT Imaging"
Previous message: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Next in thread: Eoghan Casey: "Re: Question about brute forcing EFS..."
Reply: Eoghan Casey: "Re: Question about brute forcing EFS..."
Reply: Ed Moyle: "RE: Question about brute forcing EFS..."
Reply: Schmidt, Raemarie: "RE: Question about brute forcing EFS..."
Reply: Ed Moyle: "RE: Question about brute forcing EFS..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 10:01:16 PDT