Notifications
Clear all

EFS Encryption

4 Posts
3 Users
0 Likes
664 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I have a USB hard drive that has a bunch of EFS encrypted files (.msg, .zip etc).

I'm not 100% sure what OS made them but I suspect Win 7 as the data all has modified dates of November 2012. The original computer that created/encrypted the files is not available, all I have access to is the drive and the person who owns the data.

All the usual cracking tools want the certificate from the MFT to open the files but that's not possible in this case. Is there any method to simply start a brute force attempt and then leave it running?

 
Posted : 06/12/2016 8:39 am
(@tinybrain)
Posts: 354
Reputable Member
 

I recommend Kali and creddump7 described here

https://labs.neohapsis.com/2014/07/01/cached-domain-credentials-in-vista7-aka-why-full-drive-encryption-is-important/

(the other alternatives I described before failed)

 
Posted : 13/12/2016 8:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I recommend Kali and creddump7 described here

https://labs.neohapsis.com/2014/07/01/cached-domain-credentials-in-vista7-aka-why-full-drive-encryption-is-important/

(the other alternatives I described before failed)

Yep, but if there is no access to the actual Windows install that created the files there is nothing to "dump".
I guess that in this case nothing but a specific tool can - maybe - manage to find a way to unencrypt
https://www.elcomsoft.com/aefsdr.html

jaclaz

 
Posted : 13/12/2016 9:26 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Unfortunately for me the Elcomsoft requires access to the encryption key which is located on the original computer.

From all the digging I've done it looks like there is no way to crack these files.

 
Posted : 15/12/2016 11:41 am
Share: