Decrypting EFS file

• Previous message: Ray Hayes: "Re: GetEffectiveRightsFromAcl"
• Next in thread: Levy: "Re: Decrypting EFS file"
• Reply: Levy: "Re: Decrypting EFS file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 May 2005 09:16:18 +0300

Hello,

I need to recover the content of a deleted encrypted file from a NTFS
volume. I can read the file's content by directly accessing the volume
(reading and decoding MFT, data runs and all that candy). I see that
encrypted
files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is
$EFS). I need to
interpret the content of this.

>From the info I could gather so far, this data consists of:

struct EFS_INFO_HEADER
{

DWORD m_dwSize;
DWORD m_dwVersionMinor;
DWORD m_dwVersionMajor;
DWORD m_dwUnknown1;
BYTE m_Checksum[32];
BYTE m_Unknown2[36]; // this somewhere contains the count of following DDF
entries
// the DDF entries
// count of DRF entries
/// the DRF entries
};

struct EFS_ENTRY_HEADER
{
    BYTE m_Unknown1[64];
};

struct EFS_DDF_ENTRY
{
    EFS_ENTRY_HEADER m_Header;
    // container name
    // crypto provider name
    // EFS certificate hash
    // encrypted FEK
};

struct EFS_DRF_ENTRY
{
    EFS_ENTRY_HEADER m_Header;

    // container name
    // crypto provider name
    // EFS certificate hash
    // encrypted FEK
};

Anyone knows more about these structures, where are they defined, where can
I
find more about them? Thanks a lot.

Regards,
Levente

• Previous message: Ray Hayes: "Re: GetEffectiveRightsFromAcl"
• Next in thread: Levy: "Re: Decrypting EFS file"
• Reply: Levy: "Re: Decrypting EFS file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]