Re: Decrypting EFS file

From: "Levy" <thebe14@xxxxxxxxx>
Date: Thu, 26 May 2005 20:38:28 +0300

Hi,

I just found out that there is a was to backup and then restore encrypted
files. The API that does the read from an encrypted file,
ReadEncryptedFileRaw, could be used to recover my deleted encrypted file.
However, this API has a callback that must be fed with data from the file,
INCLUDING the $EFS stream containing the encryption-related stuff.

However, this solution is also unusable for me, because it is not as simple
as feeding that callback with the content of the $EFS stream, followed by
the encrypted content of the file. Instead, some preliminary stuff should be
returned, then some parts of the $EFS stream, and then the encrypted
content, interrupted every now and then, by a few bytes of unknown
"something".

I cam to these conclusions empirically, by calling this API to read from and
encryped file and compared what I got stuffed in my callback with the
content of the LOGGED_UTILITY_STREAM attribute and the encrypted content of
the file.

Anyone that knows to point me in the right direction? Help!

Levente

"Levy" <thebe14@xxxxxxxxx> wrote in message
news:eWndcB7XFHA.3620@xxxxxxxxxxxxxxxxxxxxxxx
> Hello,
>
> I need to recover the content of a deleted encrypted file from a NTFS
> volume. I can read the file's content by directly accessing the volume
> (reading and decoding MFT, data runs and that candy). I see that encrypted
> files have a named attribute LOGGED_UTILITY_STREAM (name is $EFS). I need
> to interpret the content of this.
>
> From the info I could gather so far, this data consists of::
>
> struct EFS_INFO_HEADER
> {
> DWORD m_dwSize;
> DWORD m_dwVersionMinor;
> DWORD m_dwVersionMajor;
> DWORD m_dwUnknown1;
> BYTE m_Checksum[32];
> BYTE m_Unknown2[36];
> };
>
> struct EFS_ENTRY_HEADER
> {
> BYTE m_Unknown1[64];
> };
>
> struct EFS_DDF_ENTRY
> {
> EFS_ENTRY_HEADER m_Header;
> };
>
> struct EFS_DRF_ENTRY
> {
> EFS_ENTRY_HEADER m_Header;
> };
>
> Anyone knows more about these structures, where are they defind, where can
> I find more about them? Thanks a lot.
>
> Regards,
> Levente

.

References:
- Decrypting EFS file
  - From: Levy

Prev by Date: DFS and Offline Line Files Very Slow
Next by Date: local share prompts for login
Previous by thread: Decrypting EFS file
Next by thread: folder view on open explorer
Index(es):
- Date
- Thread

Relevant Pages

Re: C struct nach C#
... das ist nicht einfach nur ein Struct. ... DWORD ShowAs: 4; ... 64 number of Robinsonliste ... //this entry contains the baud ...
(microsoft.public.de.german.entwickler.dotnet.csharp)
Re: C struct nach C#
... Mir stellt sicht da nur die Frage wie sinnvoll ist es mit einem struct weiter zu arbeiten? ... Called Number ... DWORD ShowAs: 4; ... //this entry contains the baud ...
(microsoft.public.de.german.entwickler.dotnet.csharp)
Re: Sending HTTP request
... Using gethostbyname() API you'll be able to get the host address. ... With socketAPI you'll create a new socket descriptor. ... have headers files for C language (both struct definition and function ...
(comp.sys.ibm.as400.misc)
Re: Converting a C struct to C# for a P/Invoke call (struct in structs and unions)
... the struct is a bit ... > short dmPaperSize; ... > DWORD dmDisplayOrientation; ...
(microsoft.public.dotnet.framework)
Re: Converting a C struct to C# for a P/Invoke call (struct in structs and unions)
... the struct is a bit ... >> short dmPaperSize; ... >> DWORD dmDisplayOrientation; ...
(microsoft.public.dotnet.framework)