Re: Pentesting EFS MS Encryption

[sherwyn.williams () gmail com]

So if it is low level that means that I should pretty much give up on this side, I figured if it was M$ it had to have 
some sort of hole but I guess not huh! 

Any one else out there had any luck with this, what about if you use some sort of file reconstruction program
Sherwyn Williams
Technical Support
The Williams Solutions  

-----Original Message-----
From: "Asier Gutierrez" <asierguti () Safe-mail net>
Date: Fri, 1 Jun 2007 22:24:27 
To:sherwyn.williams () gmail com
Cc:jamie.riden () gmail com, listbounce () securityfocus com, Ian.Stong.ctr () disa mil, pen-test () securityfocus com
Subject: Re: Pentesting EFS MS Encryption

Hello Sherwyn,


Basically there are two types of encryption: file level encryption and low level encryption. The difference is that in 
the first one, we can actually see the files, but they are encrypted, while in the second one all the drive (all 
sectors) are encrypted.


If we have a typical EFS (windows file level encryption), there are programs to crack the password by brute-force. 
"Advanced EFS Data Recovery" is an example of a program to do so.


However, if you have an low level encryption, there is only one way to get the data, and it's to have the username 
and/or password for the system. It can't be cracked, and the only way to recover the data from a crashed computer is 
using an emergency disk issued by the encryption company, which also includes authentication.


Beware the new windows vista includes Bitlocker encryption, which is a low level encryption. This one encrypts all file 
structures too, but, depending on the mode, using TPM, like a chip or a USB key.


These products are very much tested, so I consider them pretty solid. All of them, excluding bitlocker from microsoft, 
have a backdoor in case you forget the password or the computer crashed, but that backdoor is protected by 
authentication anyway.


Cheers,

Asier


-------- Original Message --------
From: sherwyn.williams () gmail com
Apparently from: pen-test-return-1078484313-asierguti=safe-mail.net () securityfocus com
To: "Jamie Riden" <jamie.riden () gmail com>, listbounce () securityfocus com, "Stong, Ian C CTR DISA GIG-CS" 
<Ian.Stong.ctr () disa mil>
Cc: pen-test () securityfocus com
Subject: Pentesting EFS MS Encryption
Date: Fri, 1 Jun 2007 20:41:05 +0000

> Hello everyone,
>
> I would like to know if I have backup or some files encrypted with the built in encryption in windows but don't have 
> the key how can I reverse this to gain access to the files.
>
> Example while conducting a test, I have access to the network backup of various data that has a faulty permission 
> setting, but files are encrypted.
>
> And I am sure this can be helpful to someone if the have a backup but the system crashed. :(
>
> Thanks in advance.
> Sherwyn Williams
> Technical Support
> The Williams Solutions 
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------