[unisog] File protection in a Windows Environment

Michael Holstein michael.holstein at csuohio.edu
Mon Dec 12 15:58:04 GMT 2005

> I went to a presentation by AccessData last year where they talked about how 
> Forensic Toolkit (FTK) can break EFS so that evidence can be uncovered. It 
> appears to work without the recovery keys on pre-SP1 W2K/XP systems and 
> needing the recovery key on later system.

EnCase boasts this ability as well.

It seems Microsoft has designed "delibrately breakable" encryption -- 
for the convenience of the end user who "looses" their keys. They might 
as well just have offered the (default) option of :

"store backup copy of data in unencrypted form for ease of recovery in 
the event of lost encryption keys".

Microsoft's EFS is a convenient way to centralize management of 
encrypted storage if all you need to do is say "we encrypt it" (eg: 
HIPPA, et.al). If you *really* need to encrypt it so it can't be read if 
stolen, etc. -- then I'd suggest selecting something else.

My $0.01851 (8% Ohio tax applied).

Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list