Hi!
I just want to ask how to decrypt these EFS Files which I believe can really help the case I'm investigating right now. I'm using Encase v6 and I stumble upon an EFS-encrypted file and its EFS Stream. I want to ask for the next steps to properly decrypt the file.
Here's a snapshot
Thanks in advance.
P.S. I tried to do the copy/unerase function of Encase to decrypt using other tools but apparently, the file attribute 'E' is removed during extraction. Cipher can't decrypt the file since I think its corrupted or broken during extraction.
Please advise next step. )
I believe you need to crack the user's password first - is it LANMAN or NTLM?
You can decrypt EFS using EnCase 6 if you know the user's password. You can use EnCase to brute force the password if it is simple enough.
How can I brute-force the password? I've switched to Encase 7 since its has a function 'Analyze EFS'. I haven't figured it out yet whether its LANMAN or NTLM.
See pic below for details.
Thanks in Advance!
You can use Ophcrack, Passware to try and crack the passwords based on the SAM files.
Ophcrack uses rainbow tables and does a great job.
Based on the screenshots, this seems to be an XP machine so it should use LM by default.
how does one decrypt EFS files in encase 7? Could you please explain if you were successful? I don't see how this can be done using only encase 7.
how does one decrypt EFS files in encase 7? Could you please explain if you were successful? I don't see how this can be done using only encase 7.
Where can I download the EDS script from? Thanks.
Where can I download the EDS script from? Thanks.
Did you install the sample scripts? If so that is where it is.
Are these scripts that come with the Encase software? If yes, I'm not seeing it.