Encrypting File System

Related terms:

Operating Systems, Filesystems, Public Key Infrastructure, Active Directory,

Certification Authority, Domain Controller

Anti-forensics
John Sammons, in The Basics of Digital Forensics (Second Edition), 2015

Encrypting file system

Encrypting File System (EFS) is used to encrypt files and folders. EFS is easy to
use, with nothing more than a check box in a file’s properties. It is “not fully
supported on Windows 7 Starter, Windows 7 Home Basic, and Windows 7
Home Premium” (Microsoft, 2011c). EFS uses the Windows username and
password as part of the encryption algorithm. EFS is a feature of the New
Technology File System (NTFS), not the Windows operating system (Microsoft,
2011d).

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128016350000061

Internet Information Server (IIS) Authentication and

Authorization Models, and Locking Down File Access
with EFS and WebDAV
Timothy “Thor” Mullen, in Thor's Microsoft Security Bible, 2011

Introduction
Microsoft's Encrypting File System technology is one of the strongest yet most
underutilized security features that I have seen in my many years of working
with Microsoft infrastructures and enterprise deployments. I have very rarely
seen it used in enterprise or even medium-sized environments, and when I
have, it has been in isolated instances where individuals or teams took it upon
themselves to implement EFS-based security controls. This is not entirely
without justification. EFS is easy for individuals to set up and use autonomously,
but the proper deployment of EFS in large environments requires careful
planning around certificate and recovery agent management, backup and
restoration, and access model implementation. The consequences of improperly
rolling out EFS can be serious: You can lose access to your data. To be more
specific, inadequately designed EFS controls can result in files being encrypted
on the file system that, based on a failure scenario, can prevent the decryption of
files even though you may have physical access to them.
EFS, in its simplest form, is a Windows OS–based feature that allows a user
(administrator or otherwise) to set a folder, or an individual file, to have its
contents encrypted. Encrypting at the folder level is the typical method of using
EFS as it guarantees that any file added to the encrypted folder is automatically
encrypted. While you can certainly select an individual file and encrypt it, the
examples used in this chapter will be based on folders that are created in a
directory structure, and the folder itself marked for encryption. As mentioned,
when a folder is set to be encrypted, all files created within that folder will be
encrypted by their respective owners. Setting a folder to be encrypted is quite
simple; you just pull up the Advanced Attributes of a folder and select Encrypt
contents to secure data, as shown in Figure 2.1.

Read more
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9781597495721000093
Antiforensics
John Sammons, in The Basics of Digital Forensics, 2012

Some Common Types of Encryption

With privacy being such a major concern, encryption tools are now included
with some versions of the newer operating systems including Windows 7 and
Apple OS X. These tools are BitLocker and FileVault, respectively. These
encryption schemes can be applied selectively, only encrypting certain files or
folders. They can also be used to encrypt an entire drive. This is known as full or
whole disk encryption.
Full disk encryption (FDE) has some noteworthy advantages. We know from
previous chapters that operating systems in their course of normal operation
will leave artifacts scattered across the drive. Take swap space, for example. Even
though we encrypt an entire folder containing our sensitive files, remnants (or
the entire file) could be located in the swap space. Full disk encryption takes care
of these data “leaks.” The term full disk encryption is a little misleading. It doesn't
really encrypt the entire disk. In order to run BitLocker, there must be two
partitions (sections) on the hard drive: one, known as the “operating system
volume,” and the other, which contains the files to boot the machine, system
tools, and so on. The operating system volume contains everything else
including the vast majority of the items of most interest to us (Microsoft
Corporation, 2009).
As they say, there is no free lunch. FDE has some drawbacks as well.
Performance will likely suffer as the data are being encrypted and decrypted.
This encryption/decryption is done “on the fly,” meaning that it occurs just
before the data are saved or loaded into RAM. Passwords and keys are another
concern. Recovering your data is dependent on having the proper
authentication. If you lose or forget your password, you will very likely never get
your data back. Encryption cuts both ways.
Encrypting File System (EFS)
Encrypting File System (EFS) is used to encrypt files and folders. EFS is simple
to use, using nothing more than a check box in a file's properties. It is “not fully
supported on Windows 7 Starter, Windows 7 Home Basic, and Windows 7
Home Premium” (Microsoft Corporation). EFS uses the Windows username and
password as part of the encryption algorithm. EFS is a feature of the New
Technology File System (NTFS), not the Windows operating system (Microsoft
Corporation).
Bitlocker
Unlike EFS, BitLocker can be used to encrypt an entire hard drive, whereas
BitLocker To Go is used to encrypt removable media such as a USB drive
(Microsoft Corporation). BitLocker isn't available in all versions of Windows.
Currently it's only available on the Windows 7 Ultimate systems (Microsoft
Corporation). BitLocker doesn't usually function alone. It normally works in
conjunction with a piece of hardware called a Trusted Platform Module (TPM).
The TPM is a microchip on the motherboard of a laptop or PC that is intended
to deliver cryptographic functions (Microsoft Corporation). The TPM generates
and encrypts keys that can only be decrypted by the TPM. If configured to work
without the TPM, then the required keys are stored on a USB thumb drive.
BitLocker encryption is pretty stout, making decryption doubtful without the
key.
Encountering a running BitLockered machine affords an examiner an excellent
opportunity to recover data without having to defeat the BitLocker encryption.
Files stored in a BitLocker protected area of the hard drive are decrypted when
they are requested by the system (Microsoft Corporation, 2009). Any time you
can avoid going toe to toe with encryption is a good thing.
When dealing with a running computer, recognizing the presence of BitLocker
could make all the difference in a case. That running BitLockered machine may
very well represent the only chance you would have to recover any evidence
from that computer.
Apple Filevault
Apple's latest version of OS X, Lion, comes with FileVault 2. FileVault2 uses 128
bit, AES encryption. With FileVault 2 you can encrypt the content of your entire
drive. Apple gives customers the chance to store their recovery key with them.
Passwords stored with Apple could be retrievable with the proper legal search
authority (Apple, Inc., 2011).
Truecrypt
TrueCrypt is a free, open source software that provides on-the-fly-encryption
 functionality. In on-the-fly encryption, the data are automatically encrypted and
decrypted as they are saved and opened. All of this is done behind the scenes
without any user involvement. TrueCrypt also is capable of providing full disk
encryption. This includes file names, folder names, as well as the contents of
every file. It also includes those files that can contain sensitive data that the
system creates on its own. These files include things like log files, swap files,
and registry entries. Decryption requires the correct password and or key file(s).
TrueCrypt supports Windows, Mac, and Linux operating systems (TrueCrypt
Developers Association, 2011). TrueCrypt can use multiple encryption
algorithms including AES, Serpent, Twofish, or some combination of these
three. The key space is 256 bits.

Read less
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9781597496612000061

Microsoft Vista: Data Protection

In Microsoft Vista for IT Security Professionals, 2007

Encrypting File System

☑ The Encrypting File System allows you to encrypt individual files, or all files
within a folder.
☑ Windows Vista adds support for EFS keys held on smart cards; page file
encryption; offline file encryption based on the user’s key; and policies to
control the indexing of encrypted files.
☑ Always set up a Data Recovery Agent to allow you to recover files after the
user who encrypted them has left your domain; export the DRA keys into a
PFX file so that the DRA’s private key is not resident on the system.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597491396500091

Securing Windows Server 2008 R2

Dustin Hannifin, ... Joey Alpern, in Microsoft Windows Server 2008 R2, 2010

EFS keys and algorithms

EFS utilizes both symmetric and asymmetric key technology to encrypt and
secure data on NTFS volumes. A symmetric key is a single key which can quickly
be used to encrypt or decrypt larger amounts of data. Symmetric keys are often
used to encrypt content because of the speed advantage they have over key
pairs. EFS utilizes symmetric keys to secure data content.
Asymmetric key pairs are a complimentary pair of keys. One of the keys is used
to encrypt while the other to decrypt. Asymmetric keys are slower when dealing
with large amounts of data, and so, are not used in EFS to secure data, but are
instead used to secure the symmetric key. So, ultimately, it is a combination of
keys that are used by EFS to secure a user's data in the file system; a single key
to encrypt the data content and a key pair to secure the single key.
In earlier iterations of EFS, Microsoft has employed industry standard
encryption algorithms such as Triple DES (3DES) and Data Encryption Standard
X (DESX). As encryption standards have developed and improved, Microsoft has
continued to update EFS to support the newer protocols, as was evident with the
release of Windows XP SP1. From Windows XP SP1, forward EFS began utilizing
Advanced Encryption Standard (AES) as its primary encryption mechanism.
The newest version of EFS, included with Windows Server 2008 R2 and
Windows 7, has followed in the same footsteps as the preceding versions and
has been improved to reflect the algorithm standards that exist today. The
following represent the algorithms supported by the Windows Server 2008 R2
iteration of EFS:
▪ Advanced Encryption Standard
▪ Secure Hash Algorithm (SHA)
▪ Elliptic Curve Cryptography (ECC)
▪ Smart card-based encryption
A critical addition to the preceding list is the new support for ECC. Many
environments today are required to comply with stricter regulatory
 Read more
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9781597495783000104

Active Directory – Escalation of Privilege

Rob Kraus, ... Naomi J. Alpern, in Seven Deadliest Microsoft Attacks, 2010

Fourth Defensive Layer: You'll Need That Secret Decoder Ring

Imagine for a second that an attacker has targeted you and has managed to
penetrate all three of the layers in this chapter that you have prepared. All that is
left is the asset your organization holds most dear: its data – information on its
payroll and financial health, intellectual property, proprietary product data, and
documented analysis of your competitors. The last thing you will want is this
most valuable asset being left bare for all to see (and take). There is one last line
of defense that you can implement to safeguard your files: data encryption. The
use of encryption technology would have prevented the disgruntled patron of
Casa de Marginal in Scenario 2 (Attacking Customer Confidence) from reading
and altering files.
There are a host of third-party vendors offering encryption software for
Windows. There are too many options on the market to give any of them the
justice they are due. This chapter focuses on the native Microsoft tools that ship
with various versions of Windows. In recent versions – Windows XP and newer –
there are two options to encrypt the contents of a volume on a hard disk:
Encrypting File System (EFS) and BitLocker. Each tool is used for different
purposes. EFS is designed to encrypt and decrypt individual files; BitLocker is
used to encrypt an entire hard disk.

Tip
BitLocker Drive Encryption and EFS are not mutually exclusive. In fact, they
can be used together in a rather effective combination. When using EFS,
encryption keys are stored with the computer's operating system. Although
the keys used with EFS are encrypted, their security could still be
compromised if a hacker is able to access the operating system drive. Using
BitLocker to encrypt, the operating system drive can help protect these keys
by preventing itself from booting or being accessed if it is installed in
another computer.

Using EFS
EFS encrypts files and folders individually based on the user account associated
with them. If a computer has multiple users or groups, each user or group can
encrypt their own files independently. EFS has been around since Windows
2000 and has been steadily improved with every new version of the Windows
code base, either client or server. Unlike BitLocker, it neither requires nor uses
any special hardware.
Although EFS has been available in all versions of Windows client and server
operating systems since Windows 2000, it is fully implemented only in certain
editions, specifically any of the Windows Server editions, Vista Enterprise and
Ultimate, and Windows 7 Ultimate. It is not fully supported on Windows Vista
Starter, Home Basic and Premium, and Business, or on Windows 7 Home
Premium or Professional. On those versions, you can decrypt and modify
encrypted files, but cannot encrypt them.
Working with encrypted folders and files is much the same as other file
operations. Open Windows Explorer and right-click the folder or file you want
to encrypt, and then click Properties in the context menu. Select the General
tab and then click Advanced. The dialog box shown in Figure 2.9 will appear.
Select the Encrypt contents to secure data (circled in the screenshot in Figure
2.9) check box and click OK. Finally click OK to confirm the operation. The
encrypted folder or file in the file list in Windows Explorer will turn green once
the encryption attribute is set. Decrypting a folder or file is nearly identical
except that you will clear the Encrypt contents to secure data check box in the
Advanced Attributes window and click OK to accept the change.
FIGURE 2.9. Encrypting a File Using EFS

Note
The first time you encrypt a folder or file, an encryption certificate is
automatically created. You should back up your encryption certificate. If your
certificate and key are lost or damaged and you don't have a backup, you
won't be able to use the files that you have encrypted.

Using BitLocker
If your requirements suggest that encrypting the entire hard disk is preferred to
working with individual files, BitLocker Drive Encryption is a better choice than
EFS. Road warrior employees who truck laptops everywhere they go are very
suitable candidates. A laptop left in an airport is an attractive target, especially
because employees on the road tend to be self-contained, carrying all of the files
they need to work on and anything they pick up on the road. An encrypted disk
makes it extremely difficult to extract the data from the purloined computer.
A further benefit of BitLocker is that it can be used to encrypt the contents of
removable media. BitLocker To Go works with many media, notably the
ubiquitous Universal Serial Bus (USB) drives that are the bane of IT security
professionals' existences and seem to proliferate at an alarming rate. Because it
encrypts the entire disk, another unique characteristic of BitLocker and
BitLocker To Go is that they disregard individual user accounts associated with
files; it is either enabled or disabled for all users or groups on the system.

Tip
Like EFS, your options for encrypting the contents of your hard drive depend
on the version of Windows that you are running. BitLocker is available only in
Windows Vista Enterprise and Ultimate, Windows Server 2008 and Windows
7 Ultimate, which means it is not available in Vista Home Basic, Home
Premium or Business, or in Windows 7 Home Premium or Professional.

Unlike EFS, BitLocker requires the use of special hardware before it can be
enabled. A trusted platform module (TPM) is a secure cryptoprocessor that can
store cryptographic keys, which is embedded in the workstations
microprocessor. It must be enabled in the Basic Input/Output System (BIOS),
which may or may not be by default. Once enabled, it will be displayed in Device
Manager under Security Devices, as shown in Figure 2.10. The TPM must be of
version 1.2 or later in order to be used with BitLocker. If a TPM is not installed
or is an earlier version, you can also use a removable USB memory device, such
as a USB flash drive to store its key. For this chapter, we will focus on enabling
BitLocker on systems that have an embedded TPM.
FIGURE 2.10. Verifying that the TPM is Enabled

Once the TPM has been enabled in the BIOS and you have verified in Device
Manager that Windows acknowledges its existence, you can manage it. Unlike
other hardware on your system, there is a specific and rather robust applet for
managing the TPM. The applet, shown in the screenshot in Figure 2.11, allows
you to initialize the TPM, enable or disable it, and change the password, among
other functions. The initial setup of the TPM is performed during the setup
process for BitLocker; after verifying that the TPM has been initialized, you do
not need to change the settings in order for BitLocker to be set up correctly.

FIGURE 2.11. Managing the TPM

Once you have the TPM enabled in the BIOS and have verified that it is
recognized by Windows, you can proceed to configure BitLocker. The applet,
shown in Figure 2.12, can be found through Control Panel | System and
Security | BitLocker Drive Encryption. As shown in the screenshot in Figure
2.12, you use this single applet to configure it on both fixed disks and
removable media. Please bear in mind that you need to be an administrator to
work with BitLocker on fixed disks and once you click on Turn On BitLocker,
you will need to confirm your permission to proceed through UAC. “Normal”
users can enable and disable BitLocker To Go on their removable media.
FIGURE 2.12. Selecting the Drive to Encrypt with BitLocker

The setup process takes care of everything. Once you click on Turn On BitLocker
or BitLocker To Go, it runs a check of your hardware and software to verify that
your system satisfies the requirements to enable BitLocker. If you are enabling
BitLocker in a hard disk drive, you will need to respond to the prompts that pop
up in any UAC windows. The system check is depicted in Figure 2.13.

FIGURE 2.13. Verifying that BitLocker Can Be Enabled

If your hardware and software satisfies the system requirements for BitLocker,
you will be presented with the screen shown in Figure 2.14. To get to this
screen, the TPM has been discovered; if the TPM is not enabled, you will be
instructed to enable it and start the process again. Since the TPM needs to be
enabled in the BIOS, you will need to reboot before you restart the process.
 Read less
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9781597495516000029

Windows Forensic Analysis

Ryan D. Pittman, Dave Shaver, in
Handbook of Digital Forensics and Investigation, 2010

EFS
The ability to use EFS to encrypt data has been around since the release of
Windows 2000 (although it is notably absent from distributions such as
Windows XP Home Edition and Windows Vista Home Basic), and allows users
to easily apply encryption to select files and folders in a way that is more or less
transparent. During the encryption process, keys are generated that are tied to a
user's Windows username/password combination. The decryption of protected
data is seamlessly accomplished for the logged on user (because the correct
credentials were supplied when they logged onto Windows); however, anyone
outside of that user's authenticated session will be unable to view the underlying
data of an EFS-encrypted file.
Like with BitLocker, failing to recognize that files or folders are EFS-encrypted
prior to imaging evidence can have significant repercussions. The names of files
and folders encrypted with EFS are most often displayed as green in the
Windows Explorer interface, and seeing such “green names” on a live, running
machine can be the first clue that EFS-encrypted data exists (Figure 5.64).

Figure 5.64. An EFS-encrypted folder viewed in Windows Explorer.

Examiners can also choose to use tools such as efsinfo.exe (a part of the
Windows XP Service Pack 2 Support Tools) to identify EFS-encrypted data along
with the user account that is able to decrypt them as shown in Figure 5.65.
 Figure 5.65. Identification of EFS-encrypted files using efsinfo.exe.

Most forensic tools will also identify EFS-encrypted data as demonstrated in

Figure 5.66, although special steps will still have to be taken to view the data in
its unencrypted form.

Figure 5.66. An EFS-encrypted folder viewed in EnCase.

If EFS-encrypted data objects are located prior to imaging, obtaining

unencrypted logical copies of the objects is always an option to insure against
later inability to access the data on the forensic image. However, if EFS-
encrypted data is encountered within a forensic image, the examiner does have
other options.
Many forensic tools offer the ability to decrypt EFS files automatically, provided
the proper user password is known (or guessed, or cracked) and entered as
appropriate. As such, obtaining the proper password is the key (if you'll pardon
the pun). The easiest way to obtain a user's Windows password is to ask the user;
you never know, the user (or his or her system administrator) could surprise you
by providing it willingly. Failing that, numerous options exist for the exporting
of SAM and SYSTEM registry hives from a forensic image and the subsequent
cracking or unmasking of passwords using the examiner's tool of choice (e.g.,
PRTK, Cain & Abel, 0phcrack, SAMInside, Linux, etc.). Before undertaking a true
cracking action, though, the examiner may want to complete the following in
the interest of avoiding unneeded frustration:
▪ Attempt to guess the password based on things you know about the user or
information supplied from other sources.
▪ Dump the Windows protected storage area (which can include saved
passwords and autocomplete data) from the registry using a tool such as
Protected Storage Explorer by Forensic Ideas
(www.forensicideas.com/tools.html).
▪ Attempt to brute-force the password using a dictionary file filled with
common passwords or passphrases, or a dictionary created by indexing the
user's favorite web sites.
▪ Understand the difference between cracking an LM password and trying to
crack an NTLM password.

Tool Feature: Decrypting EFS

Once the proper username/password combination is obtained, decrypting
EFS files becomes child's play. Figure 5.67 shows ElcomSoft's Advanced EFS
Data Recovery Tool (www.elcomsoft.com/aefsdr.html), which can scan a drive
for EFS-encrypted files and available EFS encryption keys, and enables the
examiner to decrypt located keys using a Windows user password, and can
even perform dictionary attacks on encrypted keys. If the correct password is

Read less
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9780123742674000057
 Secure Client Deployment with Trusted Boot and
BitLocker
Thomas W. Shinder, ... Debra Littlejohn Shinder, in
Windows Server 2012 Security from End to Edge and Beyond, 2013

FVE vs. File/Folder Encryption

File-level encryption, as provided by Microsoft's Encrypting File System (EFS)
and numerous third-party encryption programs such as CryptoForge and Folder
Lock, allows you to encrypt individual files and/or folders. An advantage of
file/folder encryption is that, because only specific files with sensitive data are
encrypted, there is little/no reduction in general system performance, although
it can slow down opening or working with the encrypted files. The user
designates which files/folders to encrypt.
FVE has the advantage of requiring no action on the part of the user. That
means you do not run the risk of users forgetting to encrypt a particular
sensitive file. Another advantage is that FVE encrypts temporary files that might
be created by applications in a folder other than the encrypted one, and it
encrypts the page file/swap file which can contain copies of sensitive data that
has been swapped from RAM. Finally, FVE can encrypt not only data volumes
but also the operating system files. In fact, in the first version of BitLocker that
was included with Windows Vista, only the operating system volume could be
encrypted. Windows Vista Service Pack 1 added the ability to encrypt non-OS
volumes on the internal hard drives and this ability was continued in
subsequent iterations of BitLocker. Windows 7 added a new feature, BitLocker-
to-Go, which allows full volume encryption of removable storage devices such as
external USB hard drives and removable flash drives.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597499804000091

Microsoft Windows Server 2008

Aaron Tiensivu, in Securing Windows Server 2008, 2008

Full Volume Encryption

Windows BitLocker provides data encryption for volumes on your local hard
drive. Unlike Encrypting File System (EFS), BitLocker encrypts all data on a
volume—operating system, applications and their data, as well as page and
hibernation files. In Windows Server 2008, you can use BitLocker to encrypt the
whole drive, as compared to Windows Vista where you can encrypt volumes.
BitLocker operation is transparent to the user and should have a minimal
performance impact on well-designed systems. The TPM endorsement key is one
of the major components in this scenario.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492805000055

Troubleshooting
In How to Cheat at Microsoft Vista Administration, 2007

Inability to Open Files after Transferring from Another Computer

This problem is encountered when an encrypted file is transferred from a
computer running an earlier version of Windows, such as Windows XP or
Windows 2000, using the Windows Easy Transfer Wizard. When the file is
accessed for the first time on the Windows Vista computer after migration,
Windows Vista prompts you for the password on the old computer so it can
update your account with new account information. You must provide the old
password to update the EFS certificate and the key that is transferred during the
migration. If you do not provide the password and instead cancel the password
prompt, you will not be able to access the encrypted file. This problem occurs
even if you were the owner of the file on the old computer.
You can resolve this problem by recovering the encrypted file. This is possible
only when you import the EFS certificate and the key from the old computer.
You can use the command prompt for quickly resolving the problem, as
explained in following steps:
1. Click Start | All Programs | Accessories | Command Prompt.
 2. Click Continue in the User Account Control dialog box.
3. In the command prompt window, type dpapimig.exe and press Enter.
4. Type the password you used on the old computer.
5. Click Confirm My Account Information And Update Content Protection.
6. Exit the command prompt window.
This will resolve the problem and you should be able to access the encrypted
files you transferred from an old Windows XP or Windows 2000 computer.
For more information on resolving problems with encrypted files, use the
Windows Help and Support utility in the Start menu and search for solutions
using the keywords file encryption.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597491747500124

Recommended publications

How to Cheat at Microsoft Vista Administration

Book • 2007

Scene of the Cybercrime (Second Edition)

Book • 2008

Microsoft Windows 7 Administrator's Reference

Book • 2010

Seven Deadliest Microsoft Attacks

Book • 2010

Copyright © 2023 Elsevier B.V. or its licensors or contributors.

ScienceDirect® is a registered trademark of Elsevier B.V.