A Forensic Analysis of the Encrypting File System
EFS or the Encrypting File System is a feature of the New Technology File System (NTFS). EFS provides the technology for a user to transparently encrypt and decrypt files. Since its introduction in Windows 2000, EFS has evolved over the years. Today, EFS is one of the building blocks of Windows Information Protection (WIP) - a feature that protects against data leakage in an enterprise environment (DulceMontemayor et al., 2019). From the attacker's perspective, since EFS provides out-of-the-box encryption capabilities, it can also be leveraged by ransomware. In January 2020, SafeBreach labs demonstrated that EFS could be successfully used by ransomware to encrypt files and avoid endpoint detection software (Klein A., 2020). The purpose of this paper is to provide security professionals with a better understanding of artifacts generated by EFS and recovery considerations for EFS encrypted files.
40160 (PDF, 6.02MB)
24 Feb 2021Related Content
Threat Intelligence-Driven Attack Surface Management
Research PaperDefenders struggle to keep up with the pace of digital transformation in the face of an expanding...
- 9 Aug 2022
- Jonathan Matkowsky
How to Build and Use an Incident Response Playbook Effectively
Research PaperAn effective incident response playbook provides structure and clarity during high-pressure security events.
- 25 Jul 2022
- Andreas Seiler
Windows 10 vs. Windows 11, What Has Changed?
Research PaperWindows 10 was released on July 29, 2015. It has since become the most installed desktop operating...
- 25 Jul 2022
- Andrew Rathbun
Malware Function-based encryption technique
Research PaperRecent malware often uses techniques to evade detection by cybersecurity products. One of the...
- 22 Jun 2022
- Hirokazu Murakami
Detecting Unauthorized Behavior From Legitimate Accounts
Research PaperIncident Responders face an almost insurmountable amount of log events, and the move to the Cloud...
- 22 Jun 2022
- Rodney Caudle
Recommendations for small/medium-sized businesses enabling incident response
Research PaperSecurity incidents are inevitable. While large businesses can afford security teams to prepare and...
- 17 Jan 2022
- Luke Pearson
Cloud Forensics Triage Framework (CFTF)
Research PaperDigital media forensic investigations come in multiple forms and span single assets - from thumb...
- 28 Jul 2021
- Michael Beck
EDR Evasion: Stranger Things In A Payload
Research PaperTackling enterprise security has many pitfalls. Yet, the emergence of Endpoint Detection and Response (EDR) products has paved a way for threat hunters to act at scale.
- 28 Jul 2021
- Christopher Watson
CIS CSC Controls vs. Ransomware: An Evaluation
Research PaperCybercriminals continue to develop and enhance both new and existing ransomware variants, exploiting...
- 19 May 2021
- Dylan Malloy
Missing SQLite Records Analysis
Research PaperThis article will specifically discuss the identification of missing records, within the SQLite...
- 12 Mar 2021
- Ian Whiffin, Shafik G Punja, Ian Whiffin
Insider Threat The Theft of Intellectual Property in Windows 10
Research PaperThe prevalence of the theft of intellectual property investigations has grown over the past years...
- 11 Mar 2021
- Eduard Du Plessis
Tactical Linguistics: Language Analysis in Cyber Threat Intelligence
Research PaperThe capability to effectively collect and analyze data in strategic foreign languages when...
- 15 Jan 2021
- Jason Spataro
Practical Process Analysis - Automating Process Log Analysis with PowerShell
Research PaperWindows event log analysis is an important and often time-consuming part of endpoint forensics. Deep...
- 29 Dec 2020
- Matthew Moore
Incident Response in a Security Operation Center
Research PaperCybercrime dates back to the late 1700s and remains a threat today. By observing current threats,...
- 27 Aug 2020
- Josh Higgason
Applying the Scientific Method to Threat Hunting
Research PaperThreat hunting is a proactive approach to discover attackers within an organization. Without the use...
- 28 May 2020
- Jeremy Kerwin
Tips and Scripts for Reconnaissance and Scanning
Research PaperNowadays, information is the key to success. Pentesters' and bounty hunters' first step is to...
- 12 Feb 2020
- Zoltan Panczel
Threat Hunting and Incident Response in a post-compromised environment
Research PaperIf you give an attacker 100 days to move freely in your compromised environment, the evidence is...
- 3 Dec 2019
- Rukhsar Khan
Exploring the Human Fingerprints on Malware
Research PaperMuch of the focus of cyber threat intelligence is countering adversaries and the tools and...
- 22 Nov 2019
- SANS Institute
The Value of Contemporaneous Notes and Why They Are a Requirement for Security Professionals
Research PaperContemporaneous notes, or notes taken as soon as practicable after an event or action takes place, are invaluable to analysts in security roles performing activities such as digital forensics and incident response.
- 30 Sep 2019
- Seth Enoka
Hunting for Ghosts in Fileless Attacks
Research PaperThis study explores the different variations of fileless attacks that targeted the Windows operating system and what kind of artifacts or tools can provide clues for forensic investigation.
- 13 May 2019
- Buddy Tancio
