Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: XP native encryption

from [Roger A. Grimes] Network Security [Permanent Link]
Subject: RE: XP native encryption
Date: Mon, 23 May 2005 18:05:32 -0400 
I'm pretty familiar with EFS.  The first question is whether the laptop
was a stand-alone laptop or if it was joined to a domain?  If the latter
is true, your Data Recovery Agent (usually the domain admin by default)
can logon and recover the files.  If not, then the only account that is
able to recover it is the user who protected the files.  When EFS is
used, the user's keys are stored in the user's profile and protected
with a master key created using the user's password. If the user's
profile hasn't been overwritten, then have the user logon and simply set
the password back to the original, and viola, the files will be
accessible again. If the user's profile has been overwritten than the
only hope is to recover the user's profile someway...System Restore??

The lesson to be learned is that EFS should be disabled (by default it
is enabled and can be used by any user) until a default recovery agent
has been defined.

Good luck.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: Fernando Serto [mailto:fernando.serto@memetrics.com] 
Sent: Monday, May 23, 2005 3:29 AM
To: security-basics@securityfocus.com
Subject: XP native encryption

guys, I have a problem here where one of the users has encrypted all her
documents on her laptop, and as requested, she had administrative
rights. She had a friend playing around with her laptop during the
weekend, and I have no idea why that guy went through the user accounts,
changed the administrator password, logged in as local administrator,
DELETED the user account, RECREATED it, and changed the password back to
what it was. I think the user was too embarressed to tell me why this
guy had her password, and why he was playing around with her laptop, but
anyway, now she can't access her files, because they are encrypted.

do you know anyway to decrypt those files, in order to reencrypt using
the new username?

cheers,
Fernando

--
Fernando Serto
Systems Administrator
Ph: +61 2 9556 0833
Mo: +61 403 338 005
Fa: +61 2 9555 6911

------------------
Certain disclaimers and policies apply to all email sent from Memetrics.
For the full text of these disclaimers and policies see
http://www.memetrics.com/emailpolicy.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: XP native encryption, Graydon Huffman
Next by Date:  Checking when the OS was first installed, ricci
Previous by Thread:  RE: XP native encryption, Graydon Huffman
Next by Thread:  RE: XP native encryption, Jeff Randall
Indexes:  [Date] [Thread] [Top] [All Lists]