When NTFS encrypts file, it sets flag Encrypted (0x4000) for the
file and creates $EFS attribute for the file where it stores DDFs
and DDRs. This attribute has Attribute ID = 0x100 in NTFS and can
be pretty lengthy, occupying from 0.5K to several kilobytes depending
on number of DDFs and DRFs.
Here's an example of $EFS attribute with more details.
$EFS attribute size
Computer SID and user number. It specifies folder where EFS stores
certificates. In order to get folder name EFS makes some manipulations:
5A56B378 1C365429 A851FF09 D040000 - data stored in $EFS,
78B3565A 2954361C 09FF15A8 000004D0 - reversed
2025018970-693384732-167712168-1232 - converte to decimal
So, the folder will be %User Profile%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2025018970-693384732-167712168-1232\
Public key thumbprint
Private key GUID (also used as container name). This name EFS uses
when it aquires context from CryptoAPI provider. If there's only
one DDFin $EFS attribute, container name can be figured out from
$EFS (this field), but as more users added to the file (more DDFs
or DRFs), PK GUID is not stored for all of them and must be retrieved
from certificate storage based on public key thumbprint.
Cryptographic provider name = Microsoft Base Cryptographic Provider
v.1.0
User name, to whom current DDF or DRF belongs
Encrypted FEK. Usually FEK is 128-bit long (in case of DESX) but
since it's encrypted with 1024-bit RSA key, its encrypted length
is 1024 bits.
$EFS attribute size
Computer SID and user number. It specifies folder where EFS stores
certificates. In order to get folder name EFS makes some manipulations:
Public key thumbprint
Private key GUID (also used as container name). This name EFS uses
when it aquires context from CryptoAPI provider. If there's only
one DDFin $EFS attribute, container name can be figured out from
$EFS (this field), but as more users added to the file (more DDFs
or DRFs), PK GUID is not stored for all of them and must be retrieved
from certificate storage based on public key thumbprint. 
Cryptographic provider name = Microsoft Base Cryptographic Provider
v.1.0
User name, to whom current DDF or DRF belongs
Encrypted FEK. Usually FEK is 128-bit long (in case of DESX) but
since it's encrypted with 1024-bit RSA key, its encrypted length
is 1024 bits.