Forensic Extraction of EFS-Encrypted Files in Live System Investigation

  • Authors:

  • Ewa Huebner;Derek Bem

  • Affiliations:

  • University of Western Sydney, School of Computing and Mathematics, Penrith South, DC, Australia;University of Western Sydney, School of Computing and Mathematics, Penrith South, DC, Australia

  • Venue:
  • Journal of Digital Forensic Practice
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

Encrypted files captured by acquiring a bit-by-bit image in the process of conventional forensic investigation are practically impossible to decrypt without knowing the key and the method of encryption. The Windows operating system provides the option to encrypt files using an encryption driver bundled with the New Technology File System (NTFS) file system, the so-called encrypting file system (EFS). EFS files can be manipulated transparently by the owner and the system administrator as long as they reside in an NTFS file system. In this article we demonstrate the methodology of extracting EFS-decrypted files from a live system. The method of extraction is built around a software utility, Robocopy, which does not modify any metadata of the file system during extraction. The hash value for the encrypted data calculated before and after the extraction is identical, so this approach can be considered to be forensically sound. We present a scenario that shows that live system investigation is indispensable in obtaining complete information about the system being examined. This information would be lost if conventional methods were applied, even when supplemented by the capture and analysis of physical memory.