funsec mailing list archives
Re: Stolen laptops and the Windows encrypted file system?
From: Ron <iago () valhallalegends com>
Date: Wed, 29 Mar 2006 08:30:14 -0600
When using Encase (at least, version 5), you have to provide it with the user's password or the administrator password to decrypt EFS.
What Encase can do is pull the password files from Windows. The password files can then be loaded into Rainbow Tables or l0phtcrack or your favorite cracker).
To crack a NT5 password, the system key file is required. Normally, it's stored in the same folder as the password file. However, the system key file CAN be stored on a floppy or USB drive and removed when the computer/laptop is not in use. Then, I assume, nobody can log in and it is far more difficult to decrypt the files.
I'm sure if you looked it up, you could find information on doing that. But it's a lot of work. I've had to fight against Utimaco's harddrive encryptor before, and we couldn't find a way around it. It's just lucky that we managed to get Utimaco's password, or we never would have been able to work on the laptop.
Ron Richard M. Smith wrote:
Another solution would be to allow people to store their EFS encryption keys on a separate device such as a USB flash drive. I also believe that an encrypted folder on a portable hard drive would be safe if it is carried separatly from a laptop which holds the EFS encryption keys. Richard------------------------------------------------------------------------*From:* ahmad.elkhatib () gmail com [mailto:ahmad.elkhatib () gmail com] *On Behalf Of *Ahmad Elkhatib *Sent:* Wednesday, March 29, 2006 5:14 AM *To:* Valdis.Kletnieks () vt edu*Cc:* Richard M. Smith; funsec () linuxbox org*Subject:* Re: [funsec] Stolen laptops and the Windows encrypted file system?EFS is very easily breakable since its tied to the operating system. What you will need is a pre-boot authentication and full disk encryption. Many companies have that such as Pointsec, Safeboot, and Utimaco.Windows Vista has a beefed up version of EFS called BitLocker which i beleive will be part of the enterprise edition. However from comments that have been made from MS officials it seems like there will be some sort of master key or backdoor to break it.-AhmadOn 3/28/06, *Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>* <Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>> wrote:On Tue, 28 Mar 2006 13:23:03 EST, "Richard M. Smith" said: > The EnCase product description is silent on how it gets encryption keys. > It's possible that it must be supplied with keys to do the decrypt. It's tied to the user's login password - which is known to be easily guessable or crackable a lot of the time. Remember, if you're at the point where you're using EnCase on a box, it's assumed you have access to all the password hashes too. So it's a very short detour to Rainbow, and then it's Game Over.... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec <https://linuxbox.org/cgi-bin/mailman/listinfo/funsec> Note: funsec is a public and open mailing list. ------------------------------------------------------------------------ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Stolen laptops and the Windows encrypted file system? Richard M. Smith (Mar 28)
- <Possible follow-ups>
- RE: Stolen laptops and the Windows encrypted file system? Young, Keith (Mar 28)
- RE: Stolen laptops and the Windows encrypted file system? Richard M. Smith (Mar 28)
- Re: Stolen laptops and the Windows encrypted file system? Valdis . Kletnieks (Mar 28)
- Re: Stolen laptops and the Windows encrypted file system? Ahmad Elkhatib (Mar 29)
- RE: Stolen laptops and the Windows encrypted file system? Richard M. Smith (Mar 29)
- Re: Stolen laptops and the Windows encrypted file system? Ron (Mar 29)
- RE: Stolen laptops and the Windows encrypted file system? Henderson, Dennis K. (Mar 29)
- Re: Stolen laptops and the Windows encrypted file system? coderman (Mar 30)
- RE: Stolen laptops and the Windows encrypted file system? Richard M. Smith (Mar 28)