Usage: rawefs.exe <EFS-encrypted file name>
Rawefs uses P/Invoke to access the native api calls, which are declared in .NET interop as:
public static extern uint OpenEncryptedFileRaw(String filename, uint ulFlags, ref IntPtr pvContext); public static extern uint ReadEncryptedFileRaw(ExportCallback fcback, MemoryStream memstr, IntPtr pvContext ); public static extern void CloseEncryptedFileRaw(IntPtr pvContext);The EFS export callback delegate class ExportCallback() is declared and defined in the managed function:
DumpEFS(IntPtr pbData, MemoryStream memstr, uint cbData)which retrieves the data from NTFS and writes back cumulative data buffers to the passed in MemoryStream instance. Note that in this case, the pvCallbackContext parameter of the native function is mapped simply as a reference to the MemoryStream instance. The MemoryStream contents are then converted to a byte and written out to a file _rawEFSdata. This exported EFS encrypted data encapsulates the client's keycontainer identity (associated with the client EFS certificate), the RSA enveloped (wrapped) random secret symmetric key (either DESX, 3DES or AES depending on the OS and OS release level) and the raw symmetric encrypted data itself with various headers and other information. If there are key recovery agents enabled, then the encrypted blob will also contain specifiers for those agents and the symmetric key wrapped to those agents public keys also.
It is not difficult to identify the RSA encrypted block (containing the secret symmetric key) and given the exported encryptors RSA private key, perhaps exported as a protected PKCS#12 file, extract the wrapped symmetric key for mobile EFS decryption on platforms that support RSA decryption and the symmetric algorithm used for bulk encryption (e.g. Java 2, .NET 1.1+, OpenSSL etc..).
Sample raw encrypted EFS contents (generated on Windows XP Pro sp2; default AES 256 bit symmetric encryption)
Download rawefs.exe v 18.104.22.168 (11,544 bytes) (.NET 2 Digitally Signed)
Basic EFS References