Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: recovery/forensics of NTFS encrypted folder.

from [levinson_k] Network Security [Permanent Link]
Subject: Re: recovery/forensics of NTFS encrypted folder.
Date: 2 Jan 2007 20:29:53 -0000 
I believe cracking EFS encrypted files is not going to likely here, unless  you 
were able to somehow recover the deleted user profiles from the wiped version 
of Windows from the disk, from the domain (if it was joined to a domain) or 
from a backup.  How exactly was the disk "wiped?"  

Good information on decrypting EFS files is at 
www.beginningtoseethelight.org/efsrecovery, starting with the links to the 
commercial tools that claim to be able to attempt to brute force EFS.  I'm not 
sure if you will have success or not, or how quickly.  I haven't yet heard of 
anyone that has had success with these products when the key is lost.

Microsoft reportedly has a tool that can help recover encryption keys to 
decrypt EFS files if you pay the $100 to $300 US for a tech support call to 
them, using the phone numbers at www.microsoft.com/support, and there are the 
manual procedures listed at beginningtoseethelight.org.  But I believe these 
methods generally require having the keys from the user profile that encrypted 
the files.

You could choose to pay a disk recovery firm to attempt to recover the keys 
from the wiped disk.  I understand this could cost $1000 or more with no 
guarantees of data recovery.

kind regards,
Karl Levinson
http://securityadmin.info
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: recovery/forensics of NTFS encrypted folder., Bhushan Shah
Next by Date:  Re: jetdirect log files, Kevin
Previous by Thread:  Re: recovery/forensics of NTFS encrypted folder., Rikard Johnels
Next by Thread:  Physically damaged SD card, Michael Edwards
Indexes:  [Date] [Thread] [Top] [All Lists]