Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 010203.html (Request Expert securityfocus.com Support)

RE: Identifying Win2K/XP Encrypted Files

From: Altheide, Cory B. <AltheideC(at)nv.doe.gov>
Date: Thu Jan 30 2003 - 11:47:37 EST


> -----Original Message-----
<snip>

> The best scenario for dealing with the Windows 2000 encrypted file
While this is indeed the best scenario for dealing with Windows *2000* EFS - it will not work under Windows XP. Relevant info here: http://infocenter.cramsession.com/techlibrary/gethtml.asp?ID=1857

"Windows can store private keys in a number of different places, such as a smart card or a user's profile. If your computer is not a member of a domain or if you have not taken specific steps to store the private key in a different place, the private key is stored as part of your user profile, which is essentially a collection of files on your hard disk. The private key itself is encrypted so other users cannot access it, but whenever you are logged on, Windows makes the key accessible to you.

Unfortunately, this is also a security risk. Someone who steals your computer and has physical access to your computer can use one of several freely available utilities to simply change your password, log on with your user account, and then changen the password. At this point, the thief has access to all your encrypted files.

Windows XP protects you against such attacks. Windows XP encrypts the private key with a derivative of your password. If the password is changed and you don't provide the old password, access to the public key will be permanently blocked, and you or a thief can no longer decrypt files with this key.

What if you are running Windows 2000, though? Windows 2000 does not include this added protection."

The only way I can imagine getting around EFS in XP in a non-domain situation is a case where a user login is the owner of the encrypted files in question. Changing the admin password would allow you log in to the admin account, which, IIRC, is the equivalent of the domain admin on the local box and has key recovery authority for user accounts. I haven't had the opportunity to test this theory yet, but I mean to do so if no one speaks up to tell me I'm wrong. ;)

Cory Altheide
Computer Forensics Specialist
NCI Information Systems, Inc.
NNSA Cyber Forensics Center
altheidec@nv.doe.gov


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 12:53:33 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library