[unisog] File protection in a Windows Environment

Chris Green cmgreen at uab.edu
Mon Dec 12 15:52:17 GMT 2005

On 12/10/05 6:58 PM, "Nick Lewis" <lewisnic at acm.org> wrote:

> I went to a presentation by AccessData last year where they talked about how
> Forensic Toolkit (FTK) can break EFS so that evidence can be uncovered. It
> appears to work without the recovery keys on pre-SP1 W2K/XP systems and
> needing the recovery key on later system.

Please correct any false information.  I'm taking wild guesses here for the
first paragraph.

After looking at http://www.accessdata.com/ftkuser/ and reading about the
feature, it appears that pre-SP1 that were left hanging around in SAM and
SYSTEM files (probably only for local credentialed EFS users) and post SP1
it requires an dictionary attack on the passphrases.  Post-Sp1, it just
looks like they've implemented a normal passphrase recovery attack.

We've got EFS on our TODO list to investigate.  We're concerned more about
lost data than protecting it from OS level attackers.  We'd need
AD-connected enterprise recovery agents (with the appropriate policy guiding
their use).  

One major concern we've not investigated yet is EFS automatically
re-encrypts files if you use the local password change dialog within
windows.  We change passwords outside via an administrator command to AD
rather than the dialog box (credential sync for single u/p) and needing to
confirm that the EFS recovery agent portions will still work correctly for
both recovery and the end user normal operations.  If anyone has spent time
working on implementing EFS recovery agent with an external password sync,
I'd love to hear your experiences.
Chris Green
UAB Data Security, 5-0842

More information about the unisog mailing list