Notifications
Clear all

EFS Encryption

4 Posts
3 Users
0 Reactions
872 Views
Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
Topic starter  

I have a USB hard drive that has a bunch of EFS encrypted files (.msg, .zip etc).

I'm not 100% sure what OS made them but I suspect Win 7 as the data all has modified dates of November 2012. The original computer that created/encrypted the files is not available, all I have access to is the drive and the person who owns the data.

All the usual cracking tools want the certificate from the MFT to open the files but that's not possible in this case. Is there any method to simply start a brute force attempt and then leave it running?


   
Quote
(@tinybrain)
Reputable Member
Joined: 9 years ago
Posts: 354
 

I recommend Kali and creddump7 described here

https://labs.neohapsis.com/2014/07/01/cached-domain-credentials-in-vista7-aka-why-full-drive-encryption-is-important/

(the other alternatives I described before failed)


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

I recommend Kali and creddump7 described here

https://labs.neohapsis.com/2014/07/01/cached-domain-credentials-in-vista7-aka-why-full-drive-encryption-is-important/

(the other alternatives I described before failed)

Yep, but if there is no access to the actual Windows install that created the files there is nothing to "dump".
I guess that in this case nothing but a specific tool can - maybe - manage to find a way to unencrypt
https://www.elcomsoft.com/aefsdr.html

jaclaz


   
ReplyQuote
Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
Topic starter  

Unfortunately for me the Elcomsoft requires access to the encryption key which is located on the original computer.

From all the digging I've done it looks like there is no way to crack these files.


   
ReplyQuote
Share: