Microsoft Encrypted File System (EFS) is used to encrypt files on Windows. It's a file-level encryption, usually files in user profiles are being encrypted. It's a big challenge when I received a Windows with EFS enabled for data acquisition. I did many researches on forensic tools or cracking tools before I tried to acquire the data. However, the steps are time-consuming and ineffective. Here is an interesting method; hopefully it saves your day.
Microsoft EFS is only effective to files on NTFS file system but FAT32. What we need to do is to connect a new FAT32 formatted hard drive. Running Robocopy to copy all files to FAT32. All EFS encrypted files will be in decrypted state. Done! Kindly image the file by FTK Imager.
No comments:
Post a Comment