|
From: Miller, S. <Sha...@yr...> - 2010-02-01 01:20:31
|
I am performing a manual search for $EFS attributes. It'll take a while (*sigh*), but sooner or later I'll find a couple that correspond to interesting files. Once obtained, how fortunate might I be if I undertake the following steps: - Encrypt a same-length file as the same user - Manually replace this file's ciphertext (on a disk byte level) with the target ciphertext - Manually replace the $EFS attribute (on a disk byte level) with the target $EFS attribute, including DDF Is it possible that this process could yield the original file? Thanks again, - Shao Miller -----Original Message----- From: Miller, Shao Sent: Sunday, January 31, 2010 11:37 To: lin...@li... Subject: $EFS Attribute Recovery Good day to All, Thank you for NTFSProgs! Compiling 'ntfsdecrypt' took a while to track down all the needed dependencies, but now I've got it. My situation involves an HDD failure. First thing done was 'ddrescue' the disk to another known-good disk. Second thing done was run some NTFS file recovery software and recover files. I've managed to port the system to QEmu hardware (making use of WinVBlock and http://etherboot.org/wiki/appnotes/port_winnt_sanboot) and subsequently exported the .PFX file for the user with encrypted files. But of course, the recovered files are assumed plaintext; there're no $EFS attributes associated with the files which are actually encrypted. So I have some questions today: - Is an $EFS attribute an NTFS stream? - If so, does someone have a recommendation for NTFS file recovery software which includes recovery of NTFS streams? - If not, is $EFS attributes only available in the $MFT? - With the .PFX and the ciphertext versions of encrypted files, but no $EFS attribute, what is my best course of action? Of course, the 'ddrescue' image is still available to me for further possibilities. Thank you for your time and any advice you might have to offer, - Shao Miller |
