Forensic Extraction of EFS-Encrypted Files in Live System Investigation
2008; Taylor & Francis; Volume: 2; Issue: 1 Linguagem: Inglês
10.1080/15567280701721905
ISSN1556-7346
Autores Tópico(s)Advanced Malware Detection Techniques
ResumoABSTRACT Encrypted files captured by acquiring a bit-by-bit image in the process of conventional forensic investigation are practically impossible to decrypt without knowing the key and the method of encryption. The Windows operating system provides the option to encrypt files using an encryption driver bundled with the New Technology File System (NTFS) file system, the so-called encrypting file system (EFS). EFS files can be manipulated transparently by the owner and the system administrator as long as they reside in an NTFS file system. In this article we demonstrate the methodology of extracting EFS-decrypted files from a live system. The method of extraction is built around a software utility, Robocopy, which does not modify any metadata of the file system during extraction. The hash value for the encrypted data calculated before and after the extraction is identical, so this approach can be considered to be forensically sound. We present a scenario that shows that live system investigation is indispensable in obtaining complete information about the system being examined. This information would be lost if conventional methods were applied, even when supplemented by the capture and analysis of physical memory. KEYWORDS: encrypting file systems EFSlive system forensic analysisfile systems security
Referência(s)