Using EnCase 7 for ...
 
Notifications
Clear all

Using EnCase 7 for EFS

6 Posts
3 Users
0 Likes
2,220 Views
(@cottondale)
Posts: 17
Active Member
Topic starter
 

I remember using EnCase7 to decrypt documents using EFS. I am now faced with my first case where I need to decrypt documents using EFS. The books I have don't cover it, I have scoured the internet and this forum looking for the answer, and even reviewed my notes (where we spent about 15 minutes working on it in a click here, click there, see how easy it is). I have scanned the volume for EFS, I can view some of the decrypted files, but not all of them. I know what II have to enter is somewhere in secure storage, I know I have to enter the passwords. I just can't figure out how to find the user passwords and enter them where they should go. I need my next step. All I have access to is EnCase 7, how am I able to determine user passwords that need to be entered into secure storage….once I do that, how do I decrypt the EFS documents.

If it would be easier to send me a message, I'd appreciate it. If there is a resource I have not found on the internet, please point me in that direction. Thank you

 
Posted : 30/10/2014 4:09 am
(@sam305754)
Posts: 44
Eminent Member
 

Hi,

I have never used V7 with EFS files but in the user guide it is mentionned that after analyzed EFS (Device > Analyze EFS) the EFS status dialog shows information but can also open the Syskey.
When you click View > Secure Storage, then click the right side dropdown menu in the table tab and select enter items. You can enter either the password or the location of the Syskey.
If the Syskey is protected and you do not kow the password, EDS includes a dictionnary attack option to get past a protected Syskey. To open Setup, right click the root of Secure Storage and Select Dictionnay Attack.
There is an article on Guidance support https://support.guidancesoftware.com/node/207.

 
Posted : 30/10/2014 2:29 pm
(@cottondale)
Posts: 17
Active Member
Topic starter
 

I have attempted the dictionary attack. Unfortunately, there are several options in the dictionary attack window and none of them are explained in the user guide. When I run it (if I'm running it correctly) it does not seem to take too long and I am returned with no results. I can input a wordlist, but form where could I bring in a worthwhile wordlist?

 
Posted : 30/10/2014 10:49 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

1. Right click on root of device/evidence entry
2. Select "Device" from context menu
3. Select "Analyse EFS…" from sub menu. You will have a window pop up.
4. The window have a [Next >] button that will iterate through all volumes within the selected device. Do not change any paths (for the Documents and Settings Path & Registry Path), just keep clicking through next. Note that at the end of of each volume the "next" changes to "finish". That is not the real finish of course.

5. Once completed, your Secure Storage information will be populated with the EFS information. You can check this by looking under Secure Storage > SAM Users.

If the registry files have been intentionally moved, that is the only time you will need to re-point the paths during this process.

To do dictionary, I would dump the keyword list (which requires indexing first), then feed it back to the attack.

 
Posted : 31/10/2014 11:29 pm
(@cottondale)
Posts: 17
Active Member
Topic starter
 

I have seen the dictionary attack, is there any documentation to the settings? I set up the dictionary attack and it ran all night. I want to make sure I select enough, but not too many. I know some dictionary attacks can takes months or years if all options are selected.

 
Posted : 31/10/2014 11:47 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Are you thinking of brute-force? In EnCase 7 both dictionary and brute-force options are under "Dictionary Attack" option.

Make sure you pick the right one.

I have seen the dictionary attack, is there any documentation to the settings? I set up the dictionary attack and it ran all night. I want to make sure I select enough, but not too many. I know some dictionary attacks can takes months or years if all options are selected.

 
Posted : 03/11/2014 6:38 pm
Share: