Decrypting EFS file

From: Levy (thebe14_at_gmail.com)
Date: 05/24/05

  • Next message: Jakub Gwozdz: "Re: WinLogon adds default certificate to "MY" store. Why, and how to disable?"
    Date: Tue, 24 May 2005 09:16:18 +0300
    
    

    Hello,

    I need to recover the content of a deleted encrypted file from a NTFS
    volume. I can read the file's content by directly accessing the volume
    (reading and decoding MFT, data runs and all that candy). I see that
    encrypted
    files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is
    $EFS). I need to
    interpret the content of this.

    >From the info I could gather so far, this data consists of:

    struct EFS_INFO_HEADER
    {

    DWORD m_dwSize;
    DWORD m_dwVersionMinor;
    DWORD m_dwVersionMajor;
    DWORD m_dwUnknown1;
    BYTE m_Checksum[32];
    BYTE m_Unknown2[36]; // this somewhere contains the count of following DDF
    entries
    // the DDF entries
    // count of DRF entries
    /// the DRF entries
    };

    struct EFS_ENTRY_HEADER
    {
        BYTE m_Unknown1[64];
    };

    struct EFS_DDF_ENTRY
    {
        EFS_ENTRY_HEADER m_Header;
        // container name
        // crypto provider name
        // EFS certificate hash
        // encrypted FEK
    };

    struct EFS_DRF_ENTRY
    {
        EFS_ENTRY_HEADER m_Header;

        // container name
        // crypto provider name
        // EFS certificate hash
        // encrypted FEK
    };

    Anyone knows more about these structures, where are they defined, where can
    I
    find more about them? Thanks a lot.

    Regards,
    Levente


  • Next message: Jakub Gwozdz: "Re: WinLogon adds default certificate to "MY" store. Why, and how to disable?"

    Relevant Pages