Re: EFS - Please help to unsecure data

From: Galen (galennews_at_gmail.com)
Date: 02/07/05

• Next message: rocktour: "Re: Laptop screen doesn't appear at times..."
• Previous message: MICROSOFT: "Re: Adding memory"
• In reply to: Torgeir Bakken \(MVP\): "Re: EFS - Please help to unsecure data"
• Next in thread: Richard Urban: "Re: EFS - Please help to unsecure data"
• Reply: Richard Urban: "Re: EFS - Please help to unsecure data"
• Messages sorted by: [ date ] [ thread ]

Date: Sun, 6 Feb 2005 19:39:27 -0500

In news:egbnOOIDFHA.2232@TK2MSFTNGP14.phx.gbl,
Torgeir Bakken (MVP) <Torgeir.Bakken-spam@hydro.com> had this to say:

> Take a look at this site for more details:
>
> http://www.beginningtoseethelight.org/efsrecovery/

I want to thank you for the link. I've never encountered this problem, as
I'd mentioned, because the only time(s) I've encrypted any data were just to
educate myself on the process. At that time, with recommendations made in
the DTS group if I recall though it might have been during or after one of
the expert chats, I believe I went through the key backup process as well.
However, the files were simply plain text files or a couple of non-important
executables and were eventually deleted. No loss of data and it never
occured that I might lose the keys to open them as I had no intention of
keeping the files.

I'm generally one that believes that there's no such thing as something that
can't really be done if one tries enough. It is my theory at this time that
there's some chance at getting these files open with minimal expenditure.
Each attempt, I'm afraid, is going to be unique and the results will vary
based on the amount of data over-written during any fresh installations of
the operating system, file deletion, and any normal disk activity.

My guess, and I'm wanting to emphasise that this is a guess at this point,
is that data recovery software (there's actually a decent freeware version
kicking about which I can dig up if anyone else is interested but I have
some paid software here that will be what I'm working with) could be used to
recover some or all of the keys from the profile data. I'm not sure if I
understand correctly but:

"The program can decrypt protected files only if encryption keys (at least,
some of them) are still exist in the system and have not been tampered."
                                                                            
         -Jupiter Jones (from the readme.txt file)

Which makes me believe that only a portion of the key(s) would be required?
While it's unlikely that all the keys would be recovered with forensic tools
available after a re-installation of the OS and various usage of the hard
drive it's possible that some of them would be recovered.

This leads to my next question which is how about a brute force? I took a
look at Microsoft's position on this and though the information is
specifically for 2k I'm guessing that it's still very much valid for XP.

Their response to this is:

"Syskey thwarts this attack by encrypting the SAM database using strong
encryption. Even if an attacker did manage to obtain a copy of the
Syskey-protected SAM, he would first need to conduct a brute-force attack to
determine the Syskey, then conduct a brute-force attack against the hashes
themselves. This dramatically increases the work factor associated with the
attack, to the point where it's considered to be computationally
infeasible."
                                      From:
http://www.microsoft.com/technet/archive/security/news/efs.mspx

My idea at this point is to install XP Pro as an NTFS install and create a
few encrypted files on a partitioned drive (just to make sure that I don't
need to try to recover those as well.) Using a second operating system
(perhaps a *NIX on CD) I'll delete various system files and folders to
insure that the OS no longer functions. The next step would be to format the
drive, complete as opposed to quick just to make it the 'worst case
scenario' that I can think of. Then I'll probably do it a second time to
insure that I've given the drive a good chance at writting over any sectors
that it wants to though I may just copy over a couple of large files and
delete them and delete them from the recycle bin to futher perform 'disk
writting' in hopes of mimiking typical activity. The next step would be to
try for data recovery and if required to use a variety of tools. Perhaps
from outside of the OS? Following that the next step would be to try one of
the various tools to recover the file.

Here's another example of an EFS recovery tool in which they claim that only
the password must be known (or a SAM database present) that MAY be of
interest? I haven't downloaded this yet but I've read the information that
they have available on the site.

http://www.lostpassword.com/efs.htm

Anyhow, on with the subject... What are the opinions of the testing methods?
Do you see any steps that I should add to this testing? Has anyone given
this a shot? Perhaps I should do it with something important as it would
increase my incentive to succeed... On second thought... No... But it's an
interesting idea :)

Galen

-- 
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes

• Next message: rocktour: "Re: Laptop screen doesn't appear at times..."
• Previous message: MICROSOFT: "Re: Adding memory"
• In reply to: Torgeir Bakken \(MVP\): "Re: EFS - Please help to unsecure data"
• Next in thread: Richard Urban: "Re: EFS - Please help to unsecure data"
• Reply: Richard Urban: "Re: EFS - Please help to unsecure data"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint