EFS — Encrypting File System. Encrypted Files and Folders (NTFS ver. 3.0 and newer )
$EFS Attribute
When NTFS encrypts file, it sets flag Encrypted (0x4000) for the file and creates $EFS attribute for the file where it stores DDFs and DDRs. This attribute has Attribute ID = 0x100 in NTFS and can be pretty lengthy, occupying from 0.5K to several kilobytes depending on number of DDFs and DRFs.
Here's an example of $EFS attribute with more details.
 |
$EFS attribute size |
 |
Computer SID and user number. It specifies folder where EFS stores certificates. In order to get folder name EFS makes some manipulations: |
 |
Public key thumbprint |
 |
Private key GUID (also used as container name). This name EFS uses when it aquires context from CryptoAPI provider. If there's only one DDFin $EFS attribute, container name can be figured out from $EFS (this field), but as more users added to the file (more DDFs or DRFs), PK GUID is not stored for all of them and must be retrieved from certificate storage based on public key thumbprint. |
 |
Cryptographic provider name = Microsoft Base Cryptographic Provider v.1.0 |
 |
User name, to whom current DDF or DRF belongs |
 |
Encrypted FEK. Usually FEK is 128-bit long (in case of DESX) but since it's encrypted with 1024-bit RSA key, its encrypted length is 1024 bits. |
