Hosting Provided By

Re: Identifying Win2K/XP Encrypted Files

From: Christopher Howell <howellc(at)njdcj.org>
Date: Thu Jan 30 2003 - 15:40:42 EST

Just a note to the list - I tried the utility Craig suggested on my own Win2K box and it worked. While it probably worked only because I didn't really need it, I'm reasonably satisfied to just deal with Win OS encrypted files when and if I find them in the course of an examination (as opposed looking for them before the machine is seized).

Of course, this is only one minor victory. As many have brought out in related posts, there is much open to question regarding the cost/benefit of limited examination of a live system before blindly pulling the plug. Files encrypted using the Win OS is just one question. I have yet to come up with the ideal set and order of steps to take to keep every possible base covered. Whoever gets it first, please post it:)

Thanks for everyone's comments.

Chris.

Christopher Howell
State Investigator, ACCCI, ACCFT
New Jersey Division of Criminal Justice
Computer Analysis and Technology Unit
609-984-9411
howellc@njdcj.org

>>> Craig Earnshaw <Craig.Earnshaw@TheEntrepreneur.com> 01/30/03 08:13AM >>>
I would actually suggest a different method. If you are tasked to seize a machine you should do ABSOLUTELY NOTHING with it, apart from pulling the plug out of the wall if it's up and running. Any actions that you perform on the machine could potentially destroy evidence and subsequently be used to suggest that you have tampered with the evidence.

The best scenario for dealing with the Windows 2000 encrypted file system (EFS) is to seize the machine, image it with you imaging tool of choice (Safeback, EnCase, dd etc etc) and then restore the image onto a blank drive, replace the drive in the original machine with you new copy of the drive, and then boot using a Linux boot disk developed by Peter Nordahl (I think his name is) available from http://home.eunet.no/~pnordahl/ntpasswd/. This can be used to change the logon passwords for the users of the machine, and let you log into their accounts (there are some caveats to this, but they're set out on the site so I'm not going to duplicate them here). Once you're logged into the accounts you are able to access all files stored within an EFS.

Just my 2c - hope that it helps.

Do you need help?

Regards

Craig G Earnshaw
Head of Forensic Computing Services
Lee & Allen Consulting Ltd
London - New York - Hong Kong

Christopher Howell wrote:

>Does anyone know a slick way to find encrypted files on a running Win2K/XP machine? If I am tasked with seizing one, and find it on and logged in, it would be nice to be able to identify files encrypted with Windows before I pull the plug. It seems to me the only way to do it is to view the attributes in Windows Explorer - but short of clicking down through the whole tree, I don't see how to find encrypted files that are in non-encrypted folders or a level or two down...

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 21:59:29 2003

This message: [ Message body ]
Next message: ktimm: "Re: IDS and forensics"
Previous message: George M. Garner Jr.: "RE: Identifying Win2K/XP Encrypted Files"
Maybe in reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT