Microsoft Windows 2000 introduced the encrypting file system (EFS) , which is a component of the NTFS ifle system, and allows the user to encrypt and decrypt ifles on the NTFS partition. Given that most of the forensic softwares can not achieve forensics quickly on EFS encrypted files, this paper first discusses encryption principles of the EFS, then puts forwards the EFS decryption method offline, and on this basis, designs the EFS forensics tool (EFT), which works independent of the operating system on the target data source and makes quick retrieval and batch forensics possible on a number of different users’ EFS encrypted ifles on the target data source at the same time. Practice shows that EFT can greatly improve the efifciency of forensics investigators.%微软从Windows 2000开始引入加密文件系统(EFS)。EFS是集成在NTFS文件系统中的一个组件,允许用户对NTFS分区上的文件进行加解密。针对目前大部分的取证软件无法实现对EFS加密文件快速取证等问题,文章首先讨论了EFS的加密原理,接着提出了EFS的离线解密方法,并在此基础上设计了EFS取证工具(FET)。EFT摆脱了对目标数据源上操作系统的依赖,能够同时对目标数据源上多个不同用户的EFS加密文件进行快速检索和批量取证。实践表明,EFT能够极大提高办案人员的取证效率。
展开▼
