Hi All, Any EFS data can be recovered using the following method even if the original encryption key is deleted. 1. Boot the machine that holds the EFS encrypted data into safe mode 2. Log on to the machine as the local admin 3. Take ownership of the EFS Data 4. Replace the encryption key with the local admin encryption key 5. Reboot the machine and log on as the local admin 6. You can now access the EFS data As there are a few ways to change the local admin password without knowing the original password I think it can be said that in instances where a person has physical access to the machine any EFS data held on the physical machine must be classed as vulnerable. Regards Jason Normanton Jason Normanton Senior Consultant (Directory Services) Netprouk http://www.NetProUK.Com Jasonat_private -----Original Message----- From: Roger A. Grimes [mailto:rogergat_private] Sent: 27 June 2003 14:15 To: Ryan Smith; forensicsat_private Randy, I believe the first problem you mention was fixed long ago in a service pack. It does not store a plaintext copy on the hard drive anymore. The only problem I know about it is that on XP computers not belonging to a domain, the user's password is tied to the keys, so that if the user's password is changed or lost, the file will become unrecoverable to even the recovery agent. Roger **************************************************************************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogergat_private *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode **************************************************************************** ************* ----- Original Message ----- From: "Ryan Smith" <ryansmithat_private> To: <forensicsat_private> Sent: Thursday, June 26, 2003 11:53 AM Subject: looking for EFS weaknesses > > > After some research, I am considering rolling out an encryption solution > based on win2k EFS. I know of one weakness, that encrypting a file that > already exists will leave behind an insecurely deleted plaintext file. > This means anyone with any decent forensics tool could bypass the OS and > easily read it directly off the hard drive. > > It also transfers files insecurely across the network. SSL should solve > for that. > > Does anyone know of any other major weaknesses in the EFS encryption, > certificate handling, encryption, etc? For this group I'm particularly > looking for areas of the hard drive that may contain hidden plaintext > copies of normally encrypted documents. > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 04:24:32 PDT