[unisog] File protection in a Windows Environment

Rob Whalen rwhalen at stmarys-ca.edu
Tue Dec 13 22:53:12 GMT 2005

Michael Holstein wrote:

>>I went to a presentation by AccessData last year where they talked about how 
>>Forensic Toolkit (FTK) can break EFS so that evidence can be uncovered. It 
>>appears to work without the recovery keys on pre-SP1 W2K/XP systems and 
>>needing the recovery key on later system.
>EnCase boasts this ability as well.
>It seems Microsoft has designed "delibrately breakable" encryption -- 
>for the convenience of the end user who "looses" their keys. They might 
>as well just have offered the (default) option of :
>"store backup copy of data in unencrypted form for ease of recovery in 
>the event of lost encryption keys".
>Microsoft's EFS is a convenient way to centralize management of 
>encrypted storage if all you need to do is say "we encrypt it" (eg: 
>HIPPA, et.al). If you *really* need to encrypt it so it can't be read if 
>stolen, etc. -- then I'd suggest selecting something else.
>My $0.01851 (8% Ohio tax applied).
>Michael Holstein CISSP GCIA
>Cleveland State University
>unisog mailing list
>unisog at lists.sans.org
There can be gotchas with third party products. I used Cryptainer to set 
up an encrypted share for use by multiple users and when the cryptainer 
is shut down it deletes the share- very secure, but not practical.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20051213/17aa0b81/attachment.htm

More information about the unisog mailing list