EFS is inherently flawed...

- EFS keys are stored on the computer, with physical access to the system
the enemy can retrieve them and decrypt the files
- EFS keys are automatically loaded and used when the user logs on; with
physcial access retrieving the login password is trivial, so th enemy can
log in and decypt the files
- When a file is encrypted with EFS, the original file is deleted. With disk
imaging software (e.g. dd) one and read the 'free' or 'slack' space and
retrieve the original file
- When EFS files are copied onto an external or network drive encryption is
automatically removed, sometimes without notice. EFS files are only
protected on your own computer.
- When on a windows AD domain with a CA properly configured EFS files can be
copied to network drives and retain their encryption, however during the
network transfer the file is unencrypted so the enemy can read out the file
by sniffing his network.
- There are some issues with the microsoft certifiate management that make
it possible to mistakenly lose keys, thus losing all your encrypted files

Jeremy.

On Thu, May 7, 2009 at 6:28 PM, Stefan Engelbert <ste...@engelbert.de>wrote:

Hi,

thanks for the deteailed list :-)

I agree with the keys stored on the computer. In fact software certificates
are always a theoretical risk. That's why smartcards should be used.

Regarding Network transfers, temp files etc. That I do have to agree. In
fact when using EFS such points have to be considered.

Stefan

From: ForensicIdeas@googlegroups.com [mailto:ForensicIdeas@googlegroups.com]
On Behalf Of Jeremy Pullicino
Sent: Friday, May 08, 2009 11:57 AM
To: ForensicIdeas@googlegroups.com
Subject: Why EFS is not a good idea (was Re: IP tracking software)

EFS is inherently flawed...

- EFS keys are stored on the computer, with physical access to the system
the enemy can retrieve them and decrypt the files
- EFS keys are automatically loaded and used when the user logs on; with
physcial access retrieving the login password is trivial, so th enemy can
log in and decypt the files
- When a file is encrypted with EFS, the original file is deleted. With disk
imaging software (e.g. dd) one and read the 'free' or 'slack' space and
retrieve the original file
- When EFS files are copied onto an external or network drive encryption is
automatically removed, sometimes without notice. EFS files are only
protected on your own computer.
- When on a windows AD domain with a CA properly configured EFS files can be
copied to network drives and retain their encryption, however during the
network transfer the file is unencrypted so the enemy can read out the file
by sniffing his network.
- There are some issues with the microsoft certifiate management that make
it possible to mistakenly lose keys, thus losing all your encrypted files

Jeremy.

On Thu, May 7, 2009 at 6:28 PM, Stefan Engelbert <ste...@engelbert.de>
wrote:

Why is EFS not a good idea?

From: ForensicIdeas@googlegroups.com [mailto:ForensicIdeas@googlegroups.com]
On Behalf Of Jeremy Pullicino
Sent: Thursday, May 07, 2009 4:14 PM
To: ForensicIdeas@googlegroups.com

Subject: Re: IP tracking software

Hi,

My 2 euro cents worth...

These methods assume you have physical access to the system - passwords do a
good job of protecting access via the network/internet.

When your 'enemy' has physical access to the system there is very little you
can do - if he wants he can steal your hard disk, or even destroy the
computer - no passwords will protect from that...

If you have sensitive files on your PC then I recommend either storing them
in a secure remote location, or using strong encryption on the files (note:
EFS is not a good idea).

Best regards,
Jeremy Pullicino
Security Consultant

On Wed, May 6, 2009 at 2:56 PM, Geoffrey Alexander <h1ever1b...@hotmail.com>
wrote:

If by-passing or cracking Windows passwords is as easy as this, why bother
setting them up at all?

Am I the only one to conclude that even a novice 'hacker' could access any
'password-protected' computer?
- Geoffrey.

  _____  

From: mindstorm...@hotmail.com

To: forensicideas@googlegroups.com
Subject: RE: IP tracking software

Date: Fri, 1 May 2009 22:28:00 -0400

If you are able to Login using the GUEST ACCOUNT; you can then run this
keyfinder:

http://downloads.sourceforge.net/keyfinder/keyfinder.2.0.1.z
<http://downloads.sourceforge.net/keyfinder/keyfinder.2.0.1.zip?use_mi...
sdn> -ip?use_mirror=osdn

If you do not have a guest account available then this software will allow
you to blank the admin password:

http://home.eunet.no/pnordahl/ntpasswd/

Do read the FAQ and other available support pages before attempting this
because the software boots into a minimal Command Line Linux environment and
could be a little scary if you have not used DOS in the past. Lots of luck
Dan

  _____  

From: amyde...@live.com
To: forensicideas@googlegroups.com
Subject: RE: IP tracking software
Date: Thu, 30 Apr 2009 15:24:43 -0400

I think someone has been on my laptop. I have a desk top I use most of the
time, the laptop is mostly for use when I'm out of town. Mysteriously, I
cannot locate the windows cd, which I thought was in a locked file drawer,
in my home office, and I don't remember creating a backup disk. There is a
new user account I don't remember creating, or have access to. But my
orignal password works, but I don't remember the admin-password, so that's
why I was wondering if someone could bypass, or somehow retrieve my windows
password without changing it.

  _____  

</html

</html

  _____  

" Upgrade to Internet Explorer 8 Optimised for MSN. " Download Now
<http://extras.uk.msn.com/internet-explorer-8/?ocid=T010MSN07A0716U>