Computer Hacking Forensic Investigator (CHFI v10) — Question 75

An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the
Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?

Answer options

• A. EFS uses a 128-bit key that can't be cracked, so you will not be able to recover the information
• B. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.
• C. The EFS Revoked Key Agent can be used on the Computer to recover the information
• D. When the Encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information.

Correct answer: B

Explanation

The correct answer is B because when files encrypted with EFS are copied to a non-EFS medium like a floppy disk, they are automatically decrypted during the copying process. Answer A is incorrect because while EFS is secure, the files would not remain encrypted when copied. Answer C is not applicable here since the Revoked Key Agent is for different scenarios, and answer D is false as the EFS private key does not get copied with the files.