Hey guys,
I'm doing an internal investigation and I have made an image of the drive using FTK Imager 2.5 from the Helix 2008 ISO. There are some folders that our domain policy forces EFS onto (My Docs, etc). I was given the users PFX file and cannot open the files after I extract them from the FTK image. I also had one of the admins try using a recovery agent and still no dice. It seems that when I export files from the FTK Image, they lose their EFS properties even though they are still encrypted. When I browse the exported files they do not show up green and when I right click and go to properties, the files are not recognized as encrypted. Is there any limitation to the FTK Imager that came on the Helix 2008 CD? FTK Imager recognizes that encryption is present within the image. Is there a different way to extract EFS encrypted files? What if I restored the image to disk? I haven't tried that yet because I though extracting was pretty much the same.
Thanks in advance!
I'll reply to my own msg…Extracting certain folders via FTK Imager does not retain EFS properties for some reason. BUT restoring the image back to the drive in it's entirety did.
Thanks for posting the answer. I have not used Imager to extract encrypted files. I will keep in mind your tale of woe and not do that in the future.
Very exciting (sarcasm implied) EFS MSDN read through
http//
"EFS provides file confidentiality but does not provide any integrity or authentication protection."