[unisog] File protection in a Windows Environment

Rob Whalen rwhalen at stmarys-ca.edu
Tue Dec 13 22:53:12 GMT 2005


Michael Holstein wrote:

>>I went to a presentation by AccessData last year where they talked about how 
>>Forensic Toolkit (FTK) can break EFS so that evidence can be uncovered. It 
>>appears to work without the recovery keys on pre-SP1 W2K/XP systems and 
>>needing the recovery key on later system.
>>    
>>
>
>EnCase boasts this ability as well.
>
>It seems Microsoft has designed "delibrately breakable" encryption -- 
>for the convenience of the end user who "looses" their keys. They might 
>as well just have offered the (default) option of :
>
>"store backup copy of data in unencrypted form for ease of recovery in 
>the event of lost encryption keys".
>
>Microsoft's EFS is a convenient way to centralize management of 
>encrypted storage if all you need to do is say "we encrypt it" (eg: 
>HIPPA, et.al). If you *really* need to encrypt it so it can't be read if 
>stolen, etc. -- then I'd suggest selecting something else.
>
>My $0.01851 (8% Ohio tax applied).
>
>Michael Holstein CISSP GCIA
>Cleveland State University
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>
All,
There can be gotchas with third party products. I used Cryptainer to set 
up an encrypted share for use by multiple users and when the cryptainer 
is shut down it deletes the share- very secure, but not practical.
Cordially,
Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20051213/17aa0b81/attachment.htm


More information about the unisog mailing list