Ok..sitting here at 0710 AM in a hotel room pondering EFS.. (Ok..that's a bit odd..) and was thinking… If a user boots up a machine with one of those Linux, change the Admin password disks, and changes a password of an account which uses EFS to protect all their documents.. I understand the files will not be "usable/recoverable" at this point. (EFS encryption is tied directly to the Login/password Key)..
What happens if the Original Account holder uses that same disk to Change the password back to the original password?? Will the user now have access to his/her files???
Time for some Coffee..
Thanks
Rob
Hmmm Thats an interesting question.
I hadn't considered changing the password back, but will to see what happens.
I'll create a dummy account and let you know..
I think that even if you change it back to the original password you will not be able to decrypt the file. The encryption key is derived from the login password but two accounts with the same password will have different encryption keys.
I think that even if you change it back to the original password you will not be able to decrypt the file. The encryption key is derived from the login password but two accounts with the same password will have different encryption keys.
This is partially correct. The encryption key is generated without regards to the user account, but the key is then encrypted itself using the public key stored in the user's certificate. This is where the problem with changing the password through improper channels comes in.
I believe that you are correct though, that this would still be unrecoverable (as I believe that the user would no longer be able to use the same certificate).
Some detailed (but outdated) information on EFS can be found here (note that Windows XP Service Pack 1 and Windows Server 2003 can use the AES encryption algorithm as well as DESX and 3DES)
Thanks for giving me something to do while I wait for EnCase to start responding again )