Hello,

I need to recover the content of a deleted encrypted file from a NTFS volume. I can read the file's content by directly accessing the volume (reading and decoding MFT, data runs and all that candy). I see that encrypted files have a named NTFS attribute of type LOGGED_UTILITY_STREAM (name is $EFS). I need to interpret the content of this, the goal being to obtain the (encrypted) FEK (file encryption key).

From the info I could gather so far, this data consists of:

struct EFS_INFO_HEADER
{
DWORD m_dwSize;
DWORD m_dwVersionMinor;
DWORD m_dwVersionMajor;
DWORD m_dwUnknown1;
BYTE m_Checksum[32];
BYTE m_Unknown2[?];
// count of DDF entries
// the DDF entries
// count of DRF entries
// the DRF entries
};

struct EFS_DDF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};

struct EFS_DRF_ENTRY
{
// header
// container name
// crypto provider name
// EFS certificate hash
// encrypted FEK
};

Anyone knows more about these structures, where are they defined, where can I find more about them? Some of these structures seem to have members that are sometimes missing, and I cannot decide how to handle this.

Another approach would be to use the WriteEncryptedFileRaw API and then I feed it with the necessary data in the callback function, essentially attempting a restore directly from the deleted file. Again, I see by attempting to use ReadEncryptedFileRaw that the data this API stuffs into my callback function on backup is some header, followed by the $EFS attribute (slightly modified!), then some addional data, probably another header, then the encryped content, interrupted every now and then by some unknown data. I have no documentation for any of these, thus I cannot manually construct the data stream to feed into the callback function for WriteEncryptedFile.

Any info, hint, pointer in the right direction would be welcome. Thanks a lot.

Regards,
Levente