Cryptography: Theory and Practice
Cryptography: Theory and Practice
Real Digital Forensics: Computer Security and Incident Response
Real Digital Forensics: Computer Security and Incident Response
Incident Response & Computer Forensics, 2nd Ed.
Incident Response & Computer Forensics, 2nd Ed.
Windows Administration at the Command Line for Windows 2003, Windows XP, and Windows 2000: In the Field Results
FriendlyRoboCopy: A GUI to RoboCopy for computer forensic investigators
Digital Investigation: The International Journal of Digital Forensics & Incident Response
User data persistence in physical memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Tracking USB storage: Analysis of windows artifacts generated by USB storage devices
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Auditing Hash Sets: Lessons Learned from Jurassic Park
Journal of Digital Forensic Practice
Hi-index | 0.00 |
Encrypted files captured by acquiring a bit-by-bit image in the process of conventional forensic investigation are practically impossible to decrypt without knowing the key and the method of encryption. The Windows operating system provides the option to encrypt files using an encryption driver bundled with the New Technology File System (NTFS) file system, the so-called encrypting file system (EFS). EFS files can be manipulated transparently by the owner and the system administrator as long as they reside in an NTFS file system. In this article we demonstrate the methodology of extracting EFS-decrypted files from a live system. The method of extraction is built around a software utility, Robocopy, which does not modify any metadata of the file system during extraction. The hash value for the encrypted data calculated before and after the extraction is identical, so this approach can be considered to be forensically sound. We present a scenario that shows that live system investigation is indispensable in obtaining complete information about the system being examined. This information would be lost if conventional methods were applied, even when supplemented by the capture and analysis of physical memory.