Help needed, encrypted files


Al1678

New Member
Dec 29, 2006
9
0
#1
Gents

I've just really started in computer forensics, by trade I'm an ethical hacker, but one of my clients has asked me to investigate misuse of their network. The suspect in question has already been dismissed for his offence, but the company are trying to find out a) how long he was abusing the system; b) whether he carried out any other actions, possibly criminal in nature nd c) how he did what he did and d) what can be done to prevent further occurrences.

Now C & D I've got sorted, somehow the suspect in question got access to the main server and created a hidden adminstrator account in active directory. I've just recommended a general tightening up of the security proceduers, the system admins had become a little lax in their application of security.

Now A & B, I've imaged the hard drive and examined the data on it using Encase 4.2. I've found details showing evidence of file transfers for several weeks. Part of these were over the network to another computer, where the files were encrypted, I presume the suspect took copies, but put the files there in case his computer was searched. However, a network admin in a desire to impress his boss for efficiency went and deleted the suspects active directory account from the server, now I cannot access the encrypted files.

Can anyone think of a way round this, other than trying to crack the encryption?

Thanks in advance

Al
 

wilber999

New Member
Jun 24, 2006
63
0
#2
Is the folder encrypted with Microsoft EFS? If so, the doman administrator can create recovery keys. google "Microsoft EFS administrator recovery key"
 

Al1678

New Member
Dec 29, 2006
9
0
#3
Cheers

That's what I thought, but the network admin said he couldn't do that.

Oh well just go tell the boss his people don't know their stuff I suppose- doesn't surprise me after seeing the vulnerability of their system.

Happy new year to you all

Al
 

Al1678

New Member
Dec 29, 2006
9
0
#4
Cheers

That's what I thought, but the network admin said he couldn't do that.

Oh well just go tell the boss his people don't know their stuff I suppose- doesn't surprise me after seeing the vulnerability of their system.

Happy new year to you all

Al
 

hdollar

New Member
Feb 21, 2007
75
0
#5
efs recovery

<t>Ok so you are dealing with a yoyo for a network admin (paper mcse no doubt). So then you could use a program called password recovery kit from lost passwords to recover the efs files.</t>
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu