none
Encrypted File System (EFS). Decrypt file. RRS feed

  • Question

  • Hello. I try to decrypt file encrypted by EFS (EFSRPC metadata version 2). I decrypt File Encrypted key from DRF, but the buffer contains strange data that I can't find in the documentation. The field "Algorythm ID" contains 0xFFFFFFFF value and the key data contains signature 0x4B44424D ("KDBM") which is described as BCRYPT_KEY_DATA_BLOB_MAGICI tried to use the key in different ways, but it didn't work anyway.

    P.S. Protector List Entry has Protector flags 0x2

    P.S.S. The name of documentation: [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol

    Monday, May 27, 2019 12:42 PM

Answers

  • UPDATE 6/3/2019
    ---------------

    data recovery field (DRF): The portion of the EFSRPC Metadata that contains information that enables authorized DRAs to decrypt the file.

    From 2.2.2.2.3     Blob Datum
    the BlobType  is 0x0003                        
    So the blob contains the encrypted form of an Encrypted FEK structure, as defined in section 2.2.2.1.5. The contents of the key can be either the FEK or the FMK (see section 2.2.2.2.5).
     
    Also the Protector Type is 0x2 and flags is 0x5. That means protector list entry stores FMK.
     
    So the task is to decrypt the Encrypted FEK structure, then get the encrypted FMK from it, then decrypt it in order to decrypt the file with actual FMK.

    bootmanga has been able to decrypt the data now.


    He provided feedback that he had problems with how to interpret and use FMK to decrypt FEK. We will review the document to update any relevant missing details.

     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, June 3, 2019 4:58 PM
    Moderator

All replies

  • Hi bootmanga,
    Thank you for your inquiry about EFSR protocol. We have created an incident for investigating this issue. One of the Open specifications team member will contact you shortly.
     
     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, May 27, 2019 5:31 PM
    Moderator
  • Unfortunately, I can not attach the image of buffer because my account is not verified: "Body text cannot contain images or links until we are able to verify your account."
    • Edited by bootmanga Tuesday, May 28, 2019 3:02 PM
    Tuesday, May 28, 2019 9:15 AM
  • Hi bootmanga,
    You can email the image to dochelp at microsoft dot com. I will research this issue for you.
     
     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Tuesday, May 28, 2019 3:30 PM
    Moderator
  • Okay. I sent email with topic like this. I attached to dumps of 0x100 attribute and decrypted FEK and image of second dump
    Tuesday, May 28, 2019 4:15 PM
  • Hi bootmanga,
    We have received the information and replied with some questions to your e-mail.  
     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Wednesday, May 29, 2019 1:51 PM
    Moderator
  • Hello! Excuse me for long answer. I try to collect some information for answer

    Wednesday, May 29, 2019 1:55 PM
  • UPDATE 6/3/2019
    ---------------

    data recovery field (DRF): The portion of the EFSRPC Metadata that contains information that enables authorized DRAs to decrypt the file.

    From 2.2.2.2.3     Blob Datum
    the BlobType  is 0x0003                        
    So the blob contains the encrypted form of an Encrypted FEK structure, as defined in section 2.2.2.1.5. The contents of the key can be either the FEK or the FMK (see section 2.2.2.2.5).
     
    Also the Protector Type is 0x2 and flags is 0x5. That means protector list entry stores FMK.
     
    So the task is to decrypt the Encrypted FEK structure, then get the encrypted FMK from it, then decrypt it in order to decrypt the file with actual FMK.

    bootmanga has been able to decrypt the data now.


    He provided feedback that he had problems with how to interpret and use FMK to decrypt FEK. We will review the document to update any relevant missing details.

     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, June 3, 2019 4:58 PM
    Moderator