The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.

0 of NTFS
that provides filesystem-level encryption. The technology enables files to be transparently encrypted to
protect confidential data from attackers with physical access to the computer. EFS is available in all
versions of Windows developed for business environments from Windows 2000 onwards. By default, no
files are encrypted, but encryption can be enabled by users on a per-file, per-directory, or per-drive
basis. Some EFS settings can also be mandated via Group Policy in Windows domain environments.
Cryptographic file system implementations for other operating systems are available, but the Microsoft
EFS is not compatible with any of them.. When an operating system is running on a system without file
encryption, access to files normally goes through OS-controlled user authentication and access control
lists. However, if an attacker gains physical access to the computer, this barrier can be easily
circumvented. One way, for example, would be to remove the disk and put it in another computer with
an OS installed that can read the filesystem; another, would be to simply reboot the computer from a
boot CD containing an OS that is suitable for accessing the local filesystem. The most widely accepted
solution to this is to store the files encrypted on the physical media (disks, USB pen drives, tapes, CDs
and so on). In the Microsoft Windows family of operating systems EFS enables this measure, although
on NTFS drives only, and does so using a combination of public key cryptography and symmetric key
cryptography to make decrypting the files extremely difficult without the correct key. However, the
cryptography keys for EFS are in practice protected by the user account password, and are therefore
susceptible to most password attacks. In other words, the encryption of a file is only as strong as the
password to unlock the decryption key.

Operation of Encrypting File System

New features available by Windows version

Windows XP

Encryption of the Client-Side Cache (Offline Files database)

Protection of DPAPI Master Key backup using domain-wide public key
Autoenrollment of user certificates (including EFS certificates)
Multiple-user (shared) access to encrypted files (on a file-by-file basis) and revocation checking
on certificates used when sharing encrypted files
Encrypted files can be shown in an alternate color (green by default)
No requirement for mandatory Recovery Agent
Warning when files may be getting silently decrypted when moving to an unsupported file
system
Password reset disk
EFS over WebDAV and remote encryption for servers delegated in Active Directory

2=
 Document
Document encryption encrypts a single file. Generally, when using document encryption you
are using the features of the application (e.g Microsoft Word). Typically this requires you to set
and remember a password. Current versions of Microsoft Office and Adobe offer encryption
features to help restrict access to files through the use of passwords and encryption. Text based
documents could use WinZip or something similar. This is a type of file-level encryption
provided by a particular application and is separate from any operating system--level encryption
options.

File, Folder or Container

Folder encryption allows you to encrypt all files in the folder. All files dropped into this folder
are then encrypted, files dragged out of the container are unencrypted. Generally, when using
file and folder encryption, you are using the features of the operating system. Typically, the
operating system shields you from the management of the password by using the password you
use to login to your computer.

USB
USB encryption is similar to folder encryption in that all files on the USB are encrypted. All files
dropped into the container are encrypted, file dragged out of the container or unencrypted. A
wide variety of USB encryption mechanisms exist including using modern operating system
features, buying USB devices that are encrypted and using third party tools.

Full disk
The term full disk encryption (FDE) or whole disk encryption is used to signify that everything on
a disk is encrypted. With FDE, data is encrypted automatically when it's stored on the hard disk and
decrypted when it is read from the disk. This includes operating systems files as well as user
documents. Most operating systems do not have true full disk encryption capability with the exception
Windows 7's BitLocker feature, rather we use third party products for full disk encryption.

3==

EFS works by encrypting a file with a bulk symmetric key, also known as the File Encryption Key, or FEK.
It uses a symmetric encryption algorithm because it takes less time to encrypt and decrypt large
amounts of data than if an asymmetric key cipher is used. The symmetric encryption algorithm used will
vary depending on the version and configuration of the operating system; see Algorithms used by
Windows version below. The FEK (the symmetric key that is used to encrypt the file) is then encrypted
with a public key that is associated with the user who encrypted the file, and this encrypted FEK is
stored in the $EFS alternate data stream of the encrypted file.To decrypt the file, the EFS component
driver uses the private key that matches the EFS digital certificate (used to encrypt the file) to decrypt
the symmetric key that is stored in the $EFS stream. The EFS component driver then uses the symmetric
key to decrypt the file. Because the encryption & decryption operations are performed at a layer below
NTFS, it is transparent to the user and all their applications. Folders whose contents are to be encrypted
by the file system are marked with an encryption attribute. The EFS component driver treats this
encryption attribute in a way that is analogous to the inheritance of file permissions in NTFS: if a folder
is marked for encryption, then by default all files and subfolders that are created under the folder are
also encrypted. When encrypted files are moved within an NTFS volume, the files remain encrypted.
However, there are a number of occasions in which the file could be decrypted without the user
explicitly asking Windows to do so. Files and folders are decrypted before being copied to a volume
formatted with another file system, like FAT32. Finally, when encrypted files are copied over the
network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.
The most significant way of preventing the decryption-on-copy is using backup applications that are
aware of the "Raw" APIs. Backup applications that have implemented these Raw APIs will simply copy
the encrypted file stream and the $EFS alternate data stream as a single file. In other words, the files are
"copied" (e.g. into the backup file) in encrypted form, and are not decrypted during backup.
4=
Forgetting Passwords

Encryption requires a password to encrypt and decrypt the file. People who use common words
such as love or their spouses name for a password at their ATM or for signing in to an email
account may do so because they are afraid of forgetting the password. A disadvantage of
encrypting files is if you forget the password that you used, you may never be able to recover
the data. If you use a password that is easy to guess, your encrypted data is less secure.

Raising Suspicions

If you use encryption to protect your information on your computer at work or at home, it could
raise suspicions. Your boss may wonder why you are keeping certain files inaccessible. Could
they be the latest version of your resume or company secrets that you are trying to remove
from the building? At home, a significant other may want to know what terrible secrets you are
keeping that require you to encrypt files on your computer.

Developing a False Sense of Security

Todays encryption scheme may be difficult for people to crack, but advances in computer
technology and software development could eventually make it childs play to unlock your
encrypted files in the future. A disadvantage of encrypted files is that relying on them to keep
things secret could lull you into a false sense of security. A determined person may marshal
overwhelming computer resources to decrypt your secret files.

Requiring Cooperation

Using encrypted files that are designed to be opened and shared by two or more people can be
disadvantageous when one or more participants finds it a burden to use encryption. For
example, if you and a distant colleague are collaborating on a project that you need to keep
secret, you might encrypt files each time you send them over, but your colleague may think it is
tedious to take the time to encrypt and decrypt files. You will either have to cite company policy
about secrecy or appeal to his sense of cooperation.

5==
Yes
Microsoft implemented the EFS (Encrypted File System) into Windows XP. So a Windows XP
User can save his files encrypted on the harddisc.
In this wargame you are trying to decrypt and read the content of an EFS protected file - which
is a tricky task even for the local administrator.
Hacking-Lab has created a Windows XP VMware Image for this task and created a file with the
EFS method in the Offline Folder. The Offline Folder is
an XP Folder, which synchronizes automatically with the fileserver in the company, as soon as
the User is "connected". Roughly speaking, the Offline Folder
mechanism is something similar to Linux rsync, but it is automatically integrated into the
filesystem.