I have a number of efs files on a suspect xp system which i suspect contain cp, i really need to know how to get around or crack the encryption, does anyone know? i'm stumped.
EnCase with the EFS module.
Not so. EnCase EFS module (and other similar tools) are of use only if the user account password is known, or if a computer have been configured to use the auto-login, which makes recovering the password easy (see for example EnCase docs). If this is not the case, and if the password is not very short, trying to obtain it using a brute force attack, a dictionary method, or any other method will not work (why? unrealistically long time would be required). In summary you can break EFS encryption if a (not particulary smart) child was using it, but if the owner had a basic understanding of general principles of encryption, used EFS correctly, and refuses to cooperate - forget it.
cheers, derek.
Not so. EnCase EFS module (and other similar tools) are of use only if the user account password is known, or if a computer have been configured to use the auto-login, which makes recovering the password easy (see for example EnCase docs). If this is not the case, and if the password is not very short, trying to obtain it using a brute force attack, a dictionary method, or any other method will not work (why? unrealistically long time would be required). In summary you can break EFS encryption if a (not particulary smart) child was using it, but if the owner had a basic understanding of general principles of encryption, used EFS correctly, and refuses to cooperate - forget it.
cheers, derek.
True, my reply was bit terse!
Sam Inside may get you the user account password when pointed at the exported NTUSER.DAT and Syskey and with an indexing tool such as FTK you can create a word list of every text string on the disk and then use this as your dictionary attack; you may strike lucky and find the password exists in
Thanks guys, i don't know whether to try your suggestions then, the company i work for also does data recovery and this was a job brought in by the user because of bad sectors on the drive. We have become suspicious of these files though. The drive had wiping utilities and the user appeared to have been teaching himself visual basic.
So it would seem he'll be quite computer literate and probably know enough to use a long alphanumeric password.
I'm aware of that but he might at least know to have an alphanumeric password, many people who don't know what programming is would know that.
rofl debaser )
FWIW re computer literate, I've seen a web admin use a 3 letter password to the server. Assume nothing. Clever ppl are often arrogant ppl and think they won't get caught, let alone investigated. Education is for naught, until its applied.
kern
yeah your right, good point
Try LiveView and Encase emulated disk, you'll need VMware too.
Not so. EnCase EFS module (and other similar tools) are of use only if the user account password is known, or if a computer have been configured to use the auto-login, which makes recovering the password easy (see for example EnCase docs). If this is not the case, and if the password is not very short, trying to obtain it using a brute force attack, a dictionary method, or any other method will not work (why? unrealistically long time would be required). In summary you can break EFS encryption if a (not particulary smart) child was using it, but if the owner had a basic understanding of general principles of encryption, used EFS correctly, and refuses to cooperate - forget it.
cheers, derek.
hmm, i just thought isn't it possible to locate the password hash in the hex of the SAM file?