Depending on the situation it will be easier/harder to obtain the password needed to crack EFS. For example
If the account is a local account, or the system you've imaged is a Domain Controller, then you can probably get at the hashed passwords by using the offline Linux method of bkhive and samdump2. I say "probably" because it depends on what type of syskey encryption was used to protect the SAM hashes. The default and most common method used will allow you to access the hashes offline. Since most people don't disable LANMAN hashes, then you can run those hashes through rainbow tables and assuming you're using a decent set of tables you will probably get about 99% of the passwords 14 characters and less (even complex passwords).
If the account is a domain account and you're just on a domain member system, then of course you won't have access to the password hash. But, you may have access to the cached credentials. By default, the last 10 logon cached credentials are stored in HKLM\Security\Cache, which can be mounted offline (just mount the C\WINDOWS\System32\config\SECURITY hive). Unless the account you're trying to crack is "Administrator", then it's unlikely you'll get to use rainbow tables to assist in the cracking (the hash is seeded with the user name). But you can still extract the hash and run it through Cain (
Finally, there's the possibility that you can pull the same or a similar password from other locations. People tend to use the same password for things. Check stored credentials in browsers, VPNs, or other similar locations.
Hope that helps