Case Study: Overcoming EFS Encryption Without Original Hardware

Originally published by Police Technical magazine, this technical case study outlines how the Alaska Bureau of Investigation successfully bypassed Microsoft Encrypted File System (EFS) protection during a felony investigation into the exploitation of a minor. When standard forensic tools like FTK and PRTK failed to decrypt evidence located on a loose "suspect drive" separate from the original operating system, the investigators had to engineer a manual solution.

In this download, you will learn:

• The Challenge: How investigators handled encrypted evidence found on a damaged volume where the original machine was unavailable for booting.
• The Method: A step-by-step walkthrough of "spoofing" a Windows user identity, including using newsid.exe to replicate Security Identifiers (SID) and editing the registry to force specific relative IDs for user creation.
• The Result: How recreating the original user environment allowed for the successful decryption of over 8,000 images and videos essential to the prosecution.