There are two ways that EFS files can be decrypted in FTK

Method 1

1.      The examiner adds evidence into FTK using a DD or E01 image.

2.      The evidence needs to contain: 

a.      Files encrypted with EFS (stored in a physical or logical image in order to preserve logical link to $EFS alternate data stream.  Note: AD1 images cannot currently be used for EFS decryption)

b.      Corresponding $EFS streams

c.      User's 'Crypto' folder ( "C:\Documents and Settings\[USERNAME]\Application Data\Microsoft\Crypto" or "C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Crypto" in Vista based systems)

d.      User's 'Protect' folder ( "C:\Documents and Settings\[USERNAME]\Application Data\Microsoft\Protect" or "C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Protect" in Vista based systems )

3.      FTK will identify the files as EFS encrypted and mark their status as encrypted.

4.      By entering the Windows login password of the user who encrypted the files into FTK, the EFS files can be decrypted.

Method 2

Example 1: The examiner has recovered a recovery agent private key file from the domain controller (or other location) in the form of a PFX file.

Example 2: The examiner has encountered EFS encrypted files on a NTFS volume stored on removable media.

  1. Without access to the user's Crypto and Protect folders, the examiner must locate the PFX file which contains the private key used by the EFS cryptographic system to encrypt the user's files. 
  2. In order to protect the private key from unauthorized access, the PFX file was encrypted with a password upon export.  By dropping the PFX file into PRTK* or DNA*, the examiner should be able to retrieve a password.


*Notes: Either PRTK or DNA can be used to recover the password used to encrypt a PFX file, but does not decrypt EFS files.