Hi, To add to what Craig said this technique only works for local user accounts. In principle there is no reason why it shouldn't work for domain user accounts but the cached user info is tucked away in the SAM in some proprietary MS way that makes it practically in-accessible. However from the situations described so far it would seem to imply that the harddrive is being imaged with the authority of someone in the company. In this scenario if it was a domain user encrypting the data then if you could possibly obtain the relevant domain admin's keys and use these to access the data, this is after all the claimed objective behind efs. You just need to import the domain admin public/private efs keypair onto the relevant machine. Naturally you should only do so on an image of the original disk and not the original disk itself, i.e. image disk, boot image of disk, import domain admin keys as local admin, read files. Kind regards, David Pybus -----Original Message----- From: Craig Earnshaw [mailto:Craig.Earnshawat_private] Sent: 30 January 2003 13:13 To: Christopher Howell Cc: forensicsat_private Subject: Re: Identifying Win2K/XP Encrypted Files I would actually suggest a different method. If you are tasked to seize a machine you should do ABSOLUTELY NOTHING with it, apart from pulling the plug out of the wall if it's up and running. Any actions that you perform on the machine could potentially destroy evidence and subsequently be used to suggest that you have tampered with the evidence. The best scenario for dealing with the Windows 2000 encrypted file system (EFS) is to seize the machine, image it with you imaging tool of choice (Safeback, EnCase, dd etc etc) and then restore the image onto a blank drive, replace the drive in the original machine with you new copy of the drive, and then boot using a Linux boot disk developed by Peter Nordahl (I think his name is) available from http://home.eunet.no/~pnordahl/ntpasswd/. This can be used to change the logon passwords for the users of the machine, and let you log into their accounts (there are some caveats to this, but they're set out on the site so I'm not going to duplicate them here). Once you're logged into the accounts you are able to access all files stored within an EFS. Just my 2c - hope that it helps. Regards Craig G Earnshaw Head of Forensic Computing Services Lee & Allen Consulting Ltd London - New York - Hong Kong _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 06:29:58 PST