±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24209
Visitors: 41±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Decrypting EFS Help!
Decrypting EFS Help!
Posted: Mon Dec 03, 2012 4:47 am
Hi!
I just want to ask how to decrypt these EFS Files which I believe can really help the case I'm investigating right now. I'm using Encase v6 and I stumble upon an EFS-encrypted file and its EFS Stream. I want to ask for the next steps to properly decrypt the file.
Here's a snapshot:
Thanks in advance.
P.S. I tried to do the copy/unerase function of Encase to decrypt using other tools but apparently, the file attribute 'E' is removed during extraction. Cipher can't decrypt the file since I think its corrupted or broken during extraction.
Please advise next step.
I just want to ask how to decrypt these EFS Files which I believe can really help the case I'm investigating right now. I'm using Encase v6 and I stumble upon an EFS-encrypted file and its EFS Stream. I want to ask for the next steps to properly decrypt the file.
Here's a snapshot:
Thanks in advance.
P.S. I tried to do the copy/unerase function of Encase to decrypt using other tools but apparently, the file attribute 'E' is removed during extraction. Cipher can't decrypt the file since I think its corrupted or broken during extraction.
Please advise next step.
-
pyre08 - Newbie
Re: Decrypting EFS Help!
Posted: Mon Dec 03, 2012 7:48 am
I believe you need to crack the user's password first - is it LANMAN or NTLM?
You can decrypt EFS using EnCase 6 if you know the user's password. You can use EnCase to brute force the password if it is simple enough.
You can decrypt EFS using EnCase 6 if you know the user's password. You can use EnCase to brute force the password if it is simple enough.
-
chrism - Senior Member
Re: Decrypting EFS Help!
Posted: Tue Dec 04, 2012 10:21 pm
How can I brute-force the password? I've switched to Encase 7 since its has a function 'Analyze EFS'. I haven't figured it out yet whether its LANMAN or NTLM.
See pic below for details.
Thanks in Advance!
See pic below for details.
Thanks in Advance!
-
pyre08 - Newbie
Re: Decrypting EFS Help!
Posted: Wed Dec 05, 2012 2:06 pm
You can use Ophcrack, Passware to try and crack the passwords based on the SAM files.
Ophcrack uses rainbow tables and does a great job.
Based on the screenshots, this seems to be an XP machine so it should use LM by default.
Ophcrack uses rainbow tables and does a great job.
Based on the screenshots, this seems to be an XP machine so it should use LM by default.
-
PM_SQ - Senior Member