Jump to content

How effective are EFS Rogs and document requests...?

Recommended Posts

Most Big Banks use ( Encrypted File Systems) for the genuiness of their records.


Can a discover question be raised to the plaintiff about the accuracy of their records?



Like were there any security breaches on the account?


If  the records maintained by the plaintiffs witness, was the witness granted Administrator Privileges to the computer record?



Does the plaintiff employ a records retention manager certified as havung Administrator Privileges?


Was the witness certified with current EFS programs involving data recovery and storage removal if data was stored on another disk in the record retention department and transfers there of?



EFS advantages and disadvantages

EFS technology makes it so that files encrypted by one user cannot be opened by another user
if the latter does not possess appropriate permissions. After encryption is activated, the file remains
encrypted in any storage location on the disk, regardless of where it is moved. Encryption
is can be used on any files, including executables.

The user with permission to decrypt a file is able to work with the file like with any other, without
experiencing any restrictions or difficulties. Meanwhile, other users receive a restricted access
notification when they attempt to access the EFS encrypted file.

This approach is definitely very convenient. The user gets the opportunity to reliably and quickly
(using standard means) limit access to confidential information for other household members or
colleagues who also use the computer.

EFS seems like an all-around winning tool, but this is not the case. Data encrypted using this
technology can be entirely lost, for example during operating system reinstallation.


We should remember that the files on disk are encrypted using the FEK (File Encryption Key),
which is stored in their attributes. FEK is encrypted using the master key, which in turn is encrypted
using the respective keys of the system users with access to the file. The user keys
themselves are encrypted with the users’ password hashes, and the password hashes use the
SYSKEY security feature.

This chain of encryption, according to EFS developers, should reliably protect data, but in practice,
as explained below, the protection can be ultimately reduced to the good old login-password

Thanks to this encryption chain, if the password is lost or reset, or if the operating system fails
or is reinstalled, it becomes impossible to gain access to the EFS-encrypted files on the drive. In
fact, access can be lost irreversibly.

Regular users do not fully understand how EFS works and often pay for it when they lose their
data. Microsoft has issued EFS documentation that explains how it works and the main issues
that may be encountered when encrypting, but these are difficult for regular users to understand,
and few read the documentation before starting to work.


Data can be lost for good

Let’s figure out in what situations can EFS-encrypted data can be lost. How dangerous can a
situation be? We’ll take it from the top.

How can one lose access to EFS-encrypted data?

Almost all of us have encountered a situation where it was necessary to fully reinstall Windows.
This may have been due to the operating system’s functioning being disrupted by software
failure, a virus attack, or a mistake made by an inexperienced user, the system password for a
user account was lost or a user profile was deleted. In this case, all encrypted data in the old
configuration would most likely be lost.

Consider the following typical scenarios in detail:

1. The system is not booting due a component having been replaced or failed or due to
operating system failure. For example, the motherboard is out of order, the boot sector
is damaged, system files are corrupted, some “half-baked” updates or a different unstable
piece of software was installed. In this case, the hard drive can be connected to a different
computer and the data can be read off it, but if it is EFS encrypted, this would not work.

2. The system administrator at the company or the user has reset the user password. In
this case, access to EFS-encrypted data would also be lost.

3. The user profile was deleted. In this case, the files (and the user keys) may still be on the
disk, but the system cannot see them, even if the user is recreated with the same name, a
different ID will be assigned to the account, which is used in the encryption process. In this
situation, access to the data encrypted using EFS will also be lost.

4. The user is migrated to a different domain (is authenticated through a different server). If
the user encryption keys were stored on the server at the times of the migration (usually this
is the case), then an unprofessional migration can result in the loss of access to the EFS-
encrypted data.

5. System reinstallation. In this case, access to EFS-encrypted data would naturally be lost.
If a backup copy of the entire system disk is made at the time, or at least of the user profile
(“Documents and Settings”), then access could be restored with the use of special software,
but only if the keys are not damaged.

It is fairly common for the system itself to be stored on one disk, while encrypted files are stored
on a different disk. When the administrator reinstalls the operating system, usually a backup of
just the disk with the data is made and then the system is reinstalled. Obviously, in this case the
keys are lost and with them goes the access to encrypted data.

It should be said that there is a straightforward way to avoid this situation, if before using EFS the
EFS Recovery Agent is set up, but this, just like the workings of EFS in general, are too complicated
for the average user, as demonstrated below.


What is the EFS Recovery Agent?

The EFS Recovery Agent is a user with permission to decrypt data, encrypted by another user,
if the latter lost the encryption certificate keys or if the user’s account was deleted, but the encrypted
data is needed.

As a rule, the Recovery Agent is the Administrator, but it can also be a different user. There can
be multiple Recovery Agents. In order to assign Recovery Agent permissions to a user, first Recovery
Agent certificates need to be created using the command “Cipher /R: filename”, where
“filename” is the path and name of the created certificates without the extension.

After this, the user will be asked to enter a password to protect the private key and to confirm it
(the password is not displayed in the console on entry). Then two files are created with the specified
name: *.cer and *.pfx. These contain the public and private certificate keys, respectively.
Now the certificate must be added to the user’s personal storage, specified by the Recovery
Agent (this step can be skipped, then the Recovery Agent can do it later, when the recovery
functions need to be used) importing the file *.pfx (double-click on the file icon to launch the certificate
import wizard). Here, the administrator had to open the “Local Security Settings” snap-in
(Start - Run - secpol.msc), select “Public Key Policy - EFS” and in the menu “Action” select “Add
Data Recovery Agent.” The “Add Recovery Agent Wizard,” will open, and on the second page
one must click on “View folders” and select the *.cer file created earlier.

In order to restore access to the encrypted files after system reinstallation or after a private key
had been lost, the Recovery Agents’ private keys must be kept in a secure location or (if they
are not assigned), the private keys of all users using EFS, by exporting them from the “Private”
depository of the “Certificates” snap-in (certmgr.msc). In Windows Vista, there is finally a way to
store the keys on a smart card, which is much more reliable in terms of security.

It is clear that this kind of safety measure with the use of the EFS Recovery Agent contradicts
its intended principle of simplicity and requires non-trivial, from the average user’s point of view,
though routine for an administrator, actions and manipulations. It is no surprise that few use it.

It should be noted that if the administrator tried to reset the account password for a local user,
the user will lose all private certificates and with them the access to EFS-encrypted files (a corresponding
warning will appear when this action is attempted). The same will happen if the local
administrator, using special means, tried to force a password change (i.e., without entering the
old password).

Consequently, the risk of losing the most important data, encrypted using EFS technology, when
there is a system failure or due to an administrator/user error, is rather high and must always be taken into consideration.


Link to comment
Share on other sites

You can ask anything you want. If the requested information is reasonably calculated to lead to the discovery of admissible evidence, you should get it. 


Ask yourself if the evidence you seek is admissible. Is it relevant? Evidence is relevant if it has any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence. 

  • Like 2
Link to comment
Share on other sites

You can ask anything you want. If the requested information is reasonably calculated to lead to the discovery of admissible evidence, you should get it. 


Ask yourself if the evidence you seek is admissible. Is it relevant? Evidence is relevant if it has any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence. 





Thanks nascar!

 The OC in my case is all over the place regarding inept , patently false and missing information in documentation they sent me in favor of their MSJ which they lost twice regarding record keeping.

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.. For more information, please see our Privacy Policy and Terms of Use.