Re: Decrypting EFS file
From: Levy (thebe14_at_gmail.com)
Date: 05/26/05
- Next message: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Previous message: Josh Hed: "How To Allow App Access to File but Not User"
- In reply to: Levy: "Decrypting EFS file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 20:51:36 +0300
Hi,
I just found out that there is a was to backup and then restore encrypted
files. The API that does the read from an encrypted file,
ReadEncryptedFileRaw, could be used to recover my deleted encrypted file.
However, this API has a callback that must be fed with data from the file,
INCLUDING the $EFS stream containing the encryption-related stuff.
However, this solution is also unusable for me, because it is not as simple
as feeding that callback with the content of the $EFS stream, followed by
the encrypted content of the file. Instead, some preliminary stuff should be
returned, then some parts of the $EFS stream, and then the encrypted
content, interrupted every now and then, by a few bytes of unknown
"something".
I cam to these conclusions empirically, by calling this API to read from and
encryped file and compared what I got stuffed in my callback with the
content of the LOGGED_UTILITY_STREAM attribute and the encrypted content of
the file.
Anyone that knows to point me in the right direction? Help!
Levente
"Levy" <thebe14@gmail.com> wrote in message
news:eGCk4hCYFHA.2572@TK2MSFTNGP14.phx.gbl...
> Hello,
>
> I need to recover the content of a deleted encrypted file from a NTFS
> volume. I can read the file's content by directly accessing the volume
> (reading and decoding MFT, data runs and all that candy). I see that
> encrypted
> files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is
> $EFS). I need to
> interpret the content of this.
>
> From the info I could gather so far, this data consists of:
>
> struct EFS_INFO_HEADER
> {
>
> DWORD m_dwSize;
> DWORD m_dwVersionMinor;
> DWORD m_dwVersionMajor;
> DWORD m_dwUnknown1;
> BYTE m_Checksum[32];
> BYTE m_Unknown2[36]; // this somewhere contains the count of following DDF
> entries
> // the DDF entries
> // count of DRF entries
> /// the DRF entries
> };
>
> struct EFS_ENTRY_HEADER
> {
> BYTE m_Unknown1[64];
> };
>
> struct EFS_DDF_ENTRY
> {
> EFS_ENTRY_HEADER m_Header;
> // container name
> // crypto provider name
> // EFS certificate hash
> // encrypted FEK
> };
>
> struct EFS_DRF_ENTRY
> {
> EFS_ENTRY_HEADER m_Header;
>
> // container name
> // crypto provider name
> // EFS certificate hash
> // encrypted FEK
> };
>
> Anyone knows more about these structures, where are they defined, where
> can
> I
> find more about them? Thanks a lot.
>
> Regards,
> Levente
>
>
>
>
>
- Next message: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Previous message: Josh Hed: "How To Allow App Access to File but Not User"
- In reply to: Levy: "Decrypting EFS file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
