EFS decryption

Log Out | Topics | Search Moderators | Edit Profile

Author Message   Michael Tarnawsky Username: mialta Registered: N/A Posted on Thursday, Oct 30, 2008 - 8:10:    I could not find anyway to do it from the help file or menu items and I did a search of the forums. Is there / will there be an option to decrypt EFS files in the forensic version ? Given that the examiner can point the program to the SAM, SYSTEM and has the users password ? Thanks Mike   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Thursday, Oct 30, 2008 - 8:36:    No, there isn't.   Scott Hopkins Username: hopkinss Registered: N/A Posted on Saturday, Jun 5, 2010 - 17:28:    Do you plan on adding the functionality to use a Disaster Recovery Key to decrypt EFS encrypted files? This seems to be a major component that is missing from the X-Ways Forensics application and keeps it from being a viable option to FTK or EnCase.   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Saturday, Jun 5, 2010 - 22:43:    It's just one out of 800 or so items on the To Do list. > keeps it from being a viable option to FTK or EnCase As I see it this does not keep X-Ways Forensics from being a viable option in general. If you occasionally need to decrypt some files, you can use Windows or EnCase or something that you probably already have. If you need it to most of the time, then for you maybe X-Ways Forensics is not a viable option, sorry.   Jimmy Weg Username: jw Registered: 7-2006 Posted on Monday, Jun 7, 2010 - 4:11:    Scott, you must encounter EFS far more than I. I think that I've had one EFS case since NTFS was released. Perhaps you could use VMware to boot the image into a decrypted state, disable EFS, and then convert the vmdk to E01/dd and load it into XWF. That way, you could use XWF's superior capabilities to conduct whatever component of your exam was not possible with EFS in place.