How to decrypt EFS encrypted files from Linux

Question

Because the regular decrypt procedure with cipher fails, looking for alternatives. Along the lines of this exercise:

Goal

You have succeeded once you know the content of the encrypted file...

Looking at NTFS decrypt, my thinking is that something like Kali Linux will have utilities to fix this.

It seems to be valid keys which have expired. Some files, not all, are encrypted.

I'm in early stages of research, just don't want to go down false paths.

Perhaps something like:

https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files

although I also see:

Linux

It is possible to decrypt files using ntfsdecrypt tool. In this case, you should get the private key first (by running cipher /x filename.pfx on a Windows system).

https://www.forensicswiki.org/wiki/Windows_Encrypted_File_System

-----------------update---------------------

I'll try the procedure outlined here first:

https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512680(v=technet.10)

Even if the certificate has expired, an expired certificate, that would not prevent you from decrypting the files. An expired certificate does not become unusable when it expires, only a certificate revocation, would cause that (even that can be avoided). — Ramhound, Aug 31 '18 at 20:28
Sounds like a problem with `ntfsdecrypt` not the certificate. — Ramhound, Sep 01 '18 at 00:49
I haven't tried `ntfsdecrypt` myself yet -- so it's good to know that the procedure *should* work. — Thufir, Sep 01 '18 at 16:53
I was going by another person telling me that they were unable to decipher with the cipher.exe tool, but I'll follow: https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512680(v=technet.10) first to see how that goes. I can do that from another Windows machine provided that I have all the private keys and certs? — Thufir, Sep 01 '18 at 18:01

How to decrypt EFS encrypted files from Linux

0 Answers0

Linked