We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello.
Starting from Windows 10 "Redstone 1", EFS-based encryption is supported for FAT volumes. Currently, TSK tools don't flag encrypted files.
$ istat sample_encryption.raw 14 Directory Entry: 14 Allocated File Attributes: File, Archive Size: 4112 Name: TEST_E~1.PFI Directory Entry Times: Written: 2021-11-18 21:53:56 (MSK) Accessed: 2021-11-18 00:00:00 (MSK) Created: 2021-11-18 21:52:51 (MSK) Sectors: 8212 8213 8214 8215 8224 8225 8226 8227 8228 0 0 0 $ istat sample_encryption.raw 24 Directory Entry: 24 Allocated File Attributes: File, Archive Size: 4112 Name: TEST_E~2.PFI Directory Entry Times: Written: 2021-11-18 21:53:56 (MSK) Accessed: 2021-11-18 00:00:00 (MSK) Created: 2021-11-18 21:54:16 (MSK) Sectors: 8216 8217 8218 8219 8220 8221 8222 8223 8232 0 0 0
(The output above has no mention of encryption. But the files are encrypted.)
The encryption flag is stored in the directory entry, the field is shown as selected below, the flag is 0x01:
See also: https://github.com/microsoft/Windows-driver-samples/blob/1fe4cc42bedfccb97a5b2cc169f9e5306d41d0de/filesys/fastfat/fat.h#L353
In this project, the field is defined here:
sleuthkit/tsk/fs/tsk_fatxxfs.h
Line 142 in 2142ca1
Attached: sample_encryption.raw.gz
The text was updated successfully, but these errors were encountered:
Successfully merging a pull request may close this issue.
Hello.
Starting from Windows 10 "Redstone 1", EFS-based encryption is supported for FAT volumes. Currently, TSK tools don't flag encrypted files.
(The output above has no mention of encryption. But the files are encrypted.)
The encryption flag is stored in the directory entry, the field is shown as selected below, the flag is 0x01:
See also: https://github.com/microsoft/Windows-driver-samples/blob/1fe4cc42bedfccb97a5b2cc169f9e5306d41d0de/filesys/fastfat/fat.h#L353
In this project, the field is defined here:
sleuthkit/tsk/fs/tsk_fatxxfs.h
Line 142 in 2142ca1
Attached:
sample_encryption.raw.gz
The text was updated successfully, but these errors were encountered: