In a case where encrypted NTFS EFS files on an employee's computer were copied to removable media, which option best describes how investigators can recover the encrypted data?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

In a case where encrypted NTFS EFS files on an employee's computer were copied to removable media, which option best describes how investigators can recover the encrypted data?

Explanation:
The key idea here is how EFS handles access to encrypted files in an enterprise setting. Each file in EFS is encrypted with a File Encryption Key (FEK), a symmetric key. That FEK is then encrypted with the user’s public key, so normally only the user who possesses the corresponding private key can decrypt the FEK and thus decrypt the file. In many organizations, a Data Recovery Agent (DRA) is established. The DRA has its own certificate and private key that can decrypt the FEK for files encrypted by users. This means that even if the original user’s private key is lost or the data is on removable media, investigators who have the DRA’s key can recover the data by decrypting the FEK and then the file. So using a Data Recovery Agent to recover the information aligns with how EFS is designed to allow data recovery in scenarios where user keys aren’t available or data is moved to other media. The other options don’t fit because they imply data is irrecoverable or require the original user key, which isn’t the only path to recovery if a DRA is in place.

The key idea here is how EFS handles access to encrypted files in an enterprise setting. Each file in EFS is encrypted with a File Encryption Key (FEK), a symmetric key. That FEK is then encrypted with the user’s public key, so normally only the user who possesses the corresponding private key can decrypt the FEK and thus decrypt the file.

In many organizations, a Data Recovery Agent (DRA) is established. The DRA has its own certificate and private key that can decrypt the FEK for files encrypted by users. This means that even if the original user’s private key is lost or the data is on removable media, investigators who have the DRA’s key can recover the data by decrypting the FEK and then the file.

So using a Data Recovery Agent to recover the information aligns with how EFS is designed to allow data recovery in scenarios where user keys aren’t available or data is moved to other media. The other options don’t fit because they imply data is irrecoverable or require the original user key, which isn’t the only path to recovery if a DRA is in place.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy