Temporary file is not erased. When EFS encrypts file, it copies its
contents into temporary hidden file named Efs0.tmp in the same folder,
as encrypting file. Then, it encrypts plain text by blocks and writes
encrypted data into original file. After the process is done, temporary
file is deleted. The problem is that EFS simply marks it as deleted
without actually erasing its contents, which makes possible easy access
to unprotected data by
low-level data
recovery software like Active@ Undelete.
Solution - to wipe free disk space. Usually, even if plain text overwritten
ones, small magnetic traces remain detectible, thus giving a chance
to read erased data with proper equipment. To minimize this possibility,
use commercially available software providing sophisticated
data erasing
algorithms like Active@ Eraser
or ZDelete.NET.
File names in encrypted folder are not protected. Actually, encrypting
folder contents means automatically applying encryption to all files
in the folder, not encrypting directory data itself. Since the file
name itself could contain sensitive information, it could be a breach
in security. One of the solutions would be using encrypted .zip
archives instead of folders, which are treated by Windows XP almost
like folders. Thus, only one file is needed to be encrypted and archived
data themselves are harder to crack.
EFS security relies on public/private key pair which is stored on
local computer. Windows protects all private keys by encrypting them
through Protected Storage service. Protected Storage encrypts
all private keys with Session Key, derived from 512 bit Master
Key, and stores them in %User Profile%\Application Data\Microsoft\Crypto\RSA\User
SID. The Master Key is encrypted by Master Key Encryption Key,
which is derived from user password by using a Password Based Key
Derivation Function and stored in %User Profile%\Application Data\Microsoft\Protect\User
SID. Despite the efforts Windows takes to protect keys, the fact,
that all information is stored on local computer, gives an attacker,
who's got an access to hard drive, a chance to figure out keys and
use them to decrypt protected data. The overall security could be
significantly enhanced by encrypting private keys with System
Key. The syskey.exe utility can be used to store
System Key on a floppy disk and remove it from computer. In this case
user must insert a diskette with System Key when computer boots up.
Nevertheless, this method should be taken with precautions since if
key diskette is lost, there's no way to get access to computer.
