> -----Original Message----- > From: Craig Earnshaw [mailto:Craig.Earnshawat_private] > Sent: Thursday, January 30, 2003 5:13 AM > To: Christopher Howell > Cc: forensicsat_private > Subject: Re: Identifying Win2K/XP Encrypted Files > > <snip> > The best scenario for dealing with the Windows 2000 encrypted file > system (EFS) is to seize the machine, image it with you > imaging tool of > choice (Safeback, EnCase, dd etc etc) and then restore the > image onto a > blank drive, replace the drive in the original machine with > you new copy > of the drive, and then boot using a Linux boot disk developed > by Peter > Nordahl (I think his name is) available from > http://home.eunet.no/~pnordahl/ntpasswd/. This can be used to change > the logon passwords for the users of the machine, and let you > log into > their accounts (there are some caveats to this, but they're > set out on > the site so I'm not going to duplicate them here). Once > you're logged > into the accounts you are able to access all files stored > within an EFS. > > Just my 2c - hope that it helps. > > Regards > While this is indeed the best scenario for dealing with Windows *2000* EFS - it will not work under Windows XP. Relevant info here: http://infocenter.cramsession.com/techlibrary/gethtml.asp?ID=1857 "Windows can store private keys in a number of different places, such as a smart card or a user's profile. If your computer is not a member of a domain or if you have not taken specific steps to store the private key in a different place, the private key is stored as part of your user profile, which is essentially a collection of files on your hard disk. The private key itself is encrypted so other users cannot access it, but whenever you are logged on, Windows makes the key accessible to you. Unfortunately, this is also a security risk. Someone who steals your computer and has physical access to your computer can use one of several freely available utilities to simply change your password, log on with your user account, and then changen the password. At this point, the thief has access to all your encrypted files. Windows XP protects you against such attacks. Windows XP encrypts the private key with a derivative of your password. If the password is changed and you don't provide the old password, access to the public key will be permanently blocked, and you or a thief can no longer decrypt files with this key. What if you are running Windows 2000, though? Windows 2000 does not include this added protection." The only way I can imagine getting around EFS in XP in a non-domain situation is a case where a user login is the owner of the encrypted files in question. Changing the admin password would allow you log in to the admin account, which, IIRC, is the equivalent of the domain admin on the local box and has key recovery authority for user accounts. I haven't had the opportunity to test this theory yet, but I mean to do so if no one speaks up to tell me I'm wrong. ;) Cory Altheide Computer Forensics Specialist NCI Information Systems, Inc. NNSA Cyber Forensics Center altheidecat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:53:21 PST