NTFS EFS Decryption 05 - Decrypting DATA with AES-256 FEK

Video Timeline: 0:40 Overview of AES 5:04 How does EFS use the AES cipher? 6:45 OpenSSL command to decrypt AES 7:53 Fixing OpenSSL errors: Wrong final block block length: 10:59 Fixing OpenSSL errors: "EVP_DecryptFInal_ex: bad decrypt" 12:23 The Initialization vector problem 14:20 Overview of XOR and using it to find the IV 17:21 Getting the IV from open-source implementation of efs decryption All the files used in this demo are available here: https://github.com/diyinfosec/YT_Exercises/tree/master/NTFS_EFS_Decryption AES specification (FIPS): https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf Padding schemes: https://www.cryptosys.net/pki/manpki/pki_paddingschemes.html Microsoft support article on how AES is used by EFS: https://support.microsoft.com/en-us/help/2739159/files-are-corrupted-after-you-encrypt-them-with-ecc-certificates-by-us Git Issues with icat for dumping an encrypted attribute: https://github.com/sleuthkit/sleuthkit/issues/1798 OpenSSL evp-decryptfinal-ex-bad-decrypt reference: https://stackoverflow.com/questions/34304570/how-to-resolve-the-evp-decryptfinal-ex-bad-decrypt-during-file-decryption/34308841 IV used by EFS for AES encryption: https://github.com/nats/ntfsprogs/blob/master/ntfsprogs/ntfsdecrypt.c#L1315