Is EFS/BitLocker secure?

[nihil]

Well, we had that report about the possibility of recovering the password from the RAM of a machine that had recently shut down or was in standby, by cooling the strips with a can of compressed air.

OK, M$ said that it was a highly improbable scenario, and I am inclined to agree with that.

Then I read that:

ElcomSoft has released the Professional version 4.0 of Advanced EFS Data Recovery

http://www.snpx.com/cgi-bin/news55.c...09967it?-18610

So what is the real story?

[xen248]

As demonstrated by the team that used liquid nitrogen to freeze the ram and than scan and recover the encryption keys it is possible.

[Nokia]

Anything has ot be better than the pre-vista Windows EFS.

[nihil]

If this works:

http://www.elcomsoft.com/aefsdr.html

It wouldn't make a blind bit of difference.

[D0pp139an93r]

One thing I did not see mentioned was whether it can recover when the entire drive is EFS...

Recovering specific files wouldn't be a problem, given that keys can be retrieved without too much difficulty by anybody who knows what to look for, given that they have direct access to the hard drive. Would the key recovery still be possible under full drive encryption... thereby encrypting the pagefile and other key retrieval locations as well, IIRC?

[nihil]

One thing I did not see mentioned was whether it can recover when the entire drive is EFS...

I think that it would (at least the expensive one )

Advanced EFS Data Recovery decrypts files protected with EFS quickly and efficiently. Scanning the hard disk directly sector by sector

That sounds as if it works like roadkil's "Unstoppable Copier" which will read all the drive and copy everything:

http://www.roadkil.net/unstopcp.html

The claim that it will work with "damaged disks" also suggests that it would handle an entire EFS drive.

Anyway, you could always copy the entire drive to a partition on a bigger drive and run it against that?

[D0pp139an93r]

I think that it would (at least the expensive one )



That sounds as if it works like roadkil's "Unstoppable Copier" which will read all the drive and copy everything:

http://www.roadkil.net/unstopcp.html

The claim that it will work with "damaged disks" also suggests that it would handle an entire EFS drive.

Anyway, you could always copy the entire drive to a partition on a bigger drive and run it against that?

Except that if the entire drive is encrypted, wouldn't the keys that needed to be retireved also be encrypted themselves? Unless of course it's some sort of MBR resident key?

[nihil]

Hi Doppy,

Except that if the entire drive is encrypted, wouldn't the keys that needed to be retireved also be encrypted themselves? Unless of course it's some sort of MBR resident key?

I have no idea, but the software claims to work with EFS. It might well be my imagination, but the description on their website gave the impression that it knew how to decrypt the keys "on the fly" as in cracking, rather than finding something unencrypted somewhere and using that as a point of entry.

On a very simplistic level, when you attempt to access an encrypted drive, it asks you for credentials which it must authenticate against something, somewhere, somehow. So you can get in (or it would be useless )

Obviously, these guys don't say how their software works.................

The reason I raised the whole issue is that I know people who think that EFS protects them big time..............errrr.................... not if I can go on the internet and for a few hundred dollars buy a tool that will open it up like a can of Coke ???????????

[Nokia]

Don't need fancy software to defeat EFS...just need the local admin password by default....or domain admin if on a domain.

Who ever wrote the orignal article is either misleading folks to make the sodtware sound better, or does not understand EFS totally.