An Encryption File System Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Microsoft introduces the encrypting file system (EFS) with windows 2000. When enabled, EFS is designed to encrypt data store on NTFS (Windows NT File System) volumes to protect the data from theft. To access encrypted data the user must have the correct keys and view data. Encrypting file system is enabled in all versions of windows meant for professional use from windows 2000 onwards. Here we will discuss EFS in windows XP operating systems

Windows XP Operating system is designed with a control panel that allows all the customizations and appearance of the computer settings including user accounts to be done as secure as possible. It also have features that cannot support users to share file on windows XP and that can be done simply by customizing user accounts either by setting a password or hiding a file/ folder.

The EFS came up with a solution with this. You can now share confidential access to encrypted files under Windows XP Professional. This shared access applies only on a file-by-file basis; it does not apply to folders. To grant other users access to an encrypted file, each user must have already encrypted at least one file or folder previously so that either the local Windows XP system or the Active Directory domain has issued the user an EFS-compatible certificate.

To add or remove users for shared access to encrypted files, you must be the original user who encrypted the file or you must be one of the users already listed as having shared access to the file.

To share access to an encrypted file with one or more other users the following steps should be followed:

1. Right-click a file that you have already encrypted under EFS and select Properties.

2. Click the Advanced button from the General tab.

3. Click the Details button to display the Encryption Details dialog box for the encrypted file.

4. Click the Add button to display the Select User dialog box.

Image Reference: (Lastly browsed on 28/02/2011)

5. Click the user with whom you want to share access to this file and then click OK.

6. Click OK to close the Encryption Details dialog box.

Image Reference: (Lastly browsed on 28/02/2011)

c) Windows XP performs revocation checking on all certificates for users when they are added to an encrypted file

In Windows XP, EFS supports file sharing between multiple users on a single file. This provides an opportunity for data recovery by adding additional users to an encrypted file. Although the use of additional users cannot be enforced through policy or other means, it is a useful and easy method for enabling recovery of encrypted files by multiple users without actually using groups, and without sharing private keys between users.

To encrypt a file for multiple users

1. Open Windows Explorer and select the file you want to encrypt

2. Right-click the chosen file and select Properties from the context menu.

3. Select the Advanced button to enable EFS.

4. Encrypt the file by selecting the Encrypt contents to secure data check box as shown in Figure 1 below. Click OK.

5. Select the appropriate choice and click OK.

6. Click OK to encrypt the file.


(Lastly browsed on 28/02/2011)

To add users

1. Click the Add button as shown in Figure 2 below.

Figure 2

2. Click the Find User button to find new users as shown in Figure 3 below.

Figure 3

Revocation Checking

Windows XP and Windows Server 2003 now performs revocation checking on all certificates for other users when they're added to an encrypted file. For performance reasons, users that hold a private key and recovery agent certificates are not checked for revocation, they are only verified for time validity. If the user does not chain to a trusted root certificate, or the certificate is not installed in the Trusted People certificate store, the user will be warned before adding the certificate. If the revocation status check on a certificate fails, the messages shown in Figure below will be displayed and the certificate will not be used.


Figure : Failed check of certificate revocation status


(Lastly browsed on 28/02/2011)

d) Different results can occur when moving or copying encrypted files between locations

Copying, Moving and Saving Encrypted Files

Because of the unique nature of encrypted files, different results can occur when moving or copying encrypted files between locations. For example, when copying an encrypted file from a local machine to a server on the network, different results of the copy operation will occur depending on the operating system being used on the server. In general, copying a file will inherit the EFS properties of the target, but a move operation will not inherit the EFS properties of the target folder.

When copying an encrypted file:

¿½ If using Windows XP or Windows Server 2003, the user will be warned and prompted to allow the decryption operation.

The Windows XP Professional client contains some enhancements in the area of copying encrypted files. Both the shell interface and the command-line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.

e) Once EFS use certificate, it is cached on local machine.

Certificate Caching

Once EFS uses a certificate, it is cached on the local machine. This eliminates the need for looking up users in Active Directory every time a new user is added to an encrypted file. Certificates that are part of a certificate chain, and self-signed certificates, can be used and cached. When a user certificate that is part of a certificate chain is added to an encrypted file, the certificate will be cached in the current user's "Other People" certificate store as shown in Figure 9 below.

Figure 9: Caching User certificate in "Other People" certificate store


(Lastly browsed on 28/02/2011)

f) You must be logged on as an administrator to perform these steps.

The increased functionality of EFS has significantly enhanced the power of the Windows XP Professional client. Windows XP Professional now provides additional flexibility for corporate users when deploying security solutions based on encrypted data files and folders. These new features include:

¿½ Full support for revocation checking on certificates used when sharing encrypted files

¿½ Support for EFS with Windows Server 2003 clusters

¿½ Alternate colour support (green) for encrypted files to easily locate and verify protected files

¿½ Support for encrypted offline folders in Windows XP

¿½ Multi-user support for encrypted files in the shell user interface (UI)

¿½ Support for Microsoft Enhanced and Strong cryptographic service providers (CSPs)

¿½ Additional support for enhanced algorithm options and strengths

¿½ End-to-end encryption using EFS

¿½ Enhanced recovery policy flexibility

¿½ Performance and reliability enhancements

¿½ Additional security features for protecting EFS data

All these tasks and steps that can be found needs to be performed by an EFS security experts who we prefer calling them administrator and this is because he/ she was the one who set all up in the first place and who will be in charge in controlling and maintaining the whole system

g) You can lose access to encrypted files if you install a new operating system or upgrade your current one, or if the current operating system fails. What steps can help you regain access to encrypted files?

Central Recovery Workstation

The best practice and most secure mechanism for data recovery is to use a central recovery workstation in the enterprise. This may be performed by using a backup utility to perform a raw backup of the encrypted files and then restore those files on a central recovery machine. The private keys may be stored on the recovery machine or imported as necessary. This method is valuable for organizations that maintain a single centrally for recovery. Maintaining a secure central recovery console ensures that the private key is never exposed or compromised by machines that may have un trusted code running during the recovery process. Although the loss or corruption of the private keys can be potentially catastrophic for an organization.

A certificate (private key) can still be used to decrypt files, however new or updated files cannot use the expired certificate (public key). When an organization has either lost the private keys or the certificate, the best practice for an organization to follow is to immediately generate one or more new certificates and update the Group Policy or Policies to reflect the new certificates. When users encrypt new files or update existing encrypted files, the files will automatically be updated with the new public keys. It may be necessary for an organization to encourage users to update all existing files to reflect the new certificates.

Cookies and Uniform Resource Locator History

A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a piece of text stored on a user's computer by their web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.

a) Describe how these files are different from other files on your machine? Discuss the manner in which these files are used by the system and also explain privacy implications of each of them if any

¿½ These files can be set manually using Pre- Hypertext processor (PHP) syntax code command

1. Example on how you can set a cookie manually is as follows

Go to text editor and write the following syntax command


Setcookie(¿½my_colour_eyes¿½, ¿½green¿½);

Echo ¿½<A HREF = ¿½read_from_cookie.php¿½> Click here </A>¿½


2. Save the text file as Save_cookie.php in Windows Apache Mysql Pre ¿½ Hypertext processor (WAMP) in www folder and open it in via localhost to view a cookie

¿½ Unlike other files Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits.

¿½ Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future.

¿½ Tracking cookies may be used to track internet users' web browsing habits.

¿½ Cookies are also arbitrary pieces of data chosen by the Web server and sent to the browser different from other files.

¿½ As they can be set manually, unlike any other files, cookies can be disabled, enabled, deleted and searched

b) Print list of sample entries of each type from hard disk of your drive of your PC created through your browsing and explain the contents as far as possible

Most of them are images and other large files like videos and audios so as they could be retrieved as soon as possible once called from URL and they are of different date and time depending on which is mostly visited and less visited


You can also view those cookies and internet files from the browser you are using, for example Internet Explorer or Firefox Mozilla like shown in the following image

View Cookies

c) Where do these files located? Describe the facilities available in the two main browsers (Internet Explorer and Netscape) for the management of these files.

For Windows XP and Windows 2000 you can find cookies folder in the following location:

C:\Documents and Settings\[username]\Cookies\

Note: If you have only one user account, you should replace [username] with Administrator.

Netscape Navigator and Microsoft Explorer start fine without a cookies file. Both, on start up, immediately generate one if none is present. Thus, it is perfectly safe to delete any, or all cookies, if that is your preference. Should you take this path, you will not be able to take advantage of the features of cookies like being presented with the initial screen that you prefer or not having to enter an ID and password each time that you access a protected web site. That is your choice.

Once you know where your active cookie file(s) is/are, you can place a delete command in any of several appropriate starts up files and your cookie file will survive until the next start up of your PC, Windows or browser, or their shutdown. The preparation of such routines requires a higher than typical degree of skill and the specifics will not be discussed here. If your preference is to not have cookies, but do not enjoy the interrupts that your browser provides you when you do not allow it to automatically write all cookies, there are numerous products on the market to address this problem. Some of the products address other issues including cache content.

d) State how you can delete these files from your disk so as to remove traces of your browsing sessions. To what extent is the deletion process effective?

Internet Explorer (all other versions)

Internet Explorer saves cookies in more than one location, depending on the version of the browser and the version of Microsoft Windows being used.

The best way to find and delete them is to close Internet Explorer then use your file management software (such as Windows Explorer) and search for a folder called 'cookies'.

Or the other options is to follow the following steps

1. Open Internet Explorer

2. Click Tools then Options

3. On the General tab, under Browsing history, click Delete.

4. Click Delete Cookies, and then click Yes.

5. Click Close, and then click OK.


It can be done through the directory path of the Operating system used, for example in windows XP operating systems and most of the windows cookies are stored in Drive C of the computer as shown in figure below

In Netscape

In Netscape, all cookies are stored into one file, called Cookies.txt, in the user preferences folder, making them easy to find and delete. The folder can be located by using your file management software to search your hard disk drive for "cookies.txt".

Users of Netscape Navigator 4.x may also stop cookies from being written to the hard drive, by making the cookies file read only. However, even if the browser can't "write" cookies to the hard drive, it can still cache them, and it may create a new cookie file.

Forensic Investigators normally are the people whom they collect and use any evidance necessary for prosecution at the court of law

If an employee is disciplined or discharged based upon computer or Internet problems, forensic investigators normally use cookies ,Uniform Resource Locator and temporary internet files during the process of evidence gathering.

There are so many ways an evidence can be gathered through this method ,to mention common ones and easy to record is by looking at the operating systems functionality that were available into the features

¿½ Browser available or used

¿½ Cache Memory

¿½ Uniform Resource Locators (URLs) and History

¿½ Manual Investigation

¿½ Automated Investigation and Software for Automated Investigations

¿½ Using Proxies

¿½ Using Emails & Spams

There are so many ways to do so, but here are the most important methods and tricks that Forensic investigators can use to collect the needed evidence and a computer based case

a) Excessive use of the Internet by a person responsible

b) Visits to banned web sites

c) Use of unauthorised software

a) Excessive use of Internet

Browser available or used

This is a very simple way and effective one using browser features to locate and view cookies for evidence gathering since all browsers available have within built feature of a saving and viewing of cookies automatically

This is normally the look of stored cookies in many different browsers and how you could view them

Cache Memory

A temporary data storage location, or the process of storing data temporarily. A cache is typically used for quick data access.


A proxy server is computer that functions as an intermediary between a web browser (such as Internet Explorer) and the Internet. Proxy servers help improve web performance by storing a copy of frequently used web pages. Proxy servers also help improve security by filtering out some web content and malicious software.

Automated Investigation and Software for Automated Investigations

Now days automated softwares are the key factors in any security system due to their performances and they are also very user friendly.

¿½Why should i bust my hump when the computer can do it¿½ Craig Butler

Because most of these softwares are free or very cheap to download, the most effective ones can be found on these links

b) Visits to banned web sites

Browser available or used

This is a very simple way and effective one using browser features to locate and view cookies for evidence gathering since all browsers available have within built feature of a saving and viewing of cookies and privacy settings automatically

Cache Memory

A temporary data storage location, or the process of storing data temporarily. A cache is typically used for quick data access.


A proxy server is computer that functions as an intermediary between a web browser (such as Internet Explorer) and the Internet. Proxy servers help improve web performance by storing a copy of frequently used web pages. Proxy servers also help improve security by filtering out some web content and malicious software.


Uniform Resource Locators (URLs) and History

Using browser features and URL can be used for information gathering since can be saved manually or automatically in the browsers features available for privacy or legal matters

Automated Investigation and Software for Automated Investigations

Now days automated softwares are the key factors in any security system due to their performances and they are also very user friendly.

¿½Why should I bust my hump when the computer can do it¿½ Craig Butler

Because most of these softwares are free or very cheap to download, the most effective ones can be found on these links

c) Use of unauthorised software

Manual Investigation

This can be conducted by investigators by asking people responsible or were available during the criminal participation questions that relates to what is being investigated so as to be sure if any one saw any person entering or was using unauthorised software so that they can be sure of what they are collecting and in what manner

Using Emails & Spams

Windows Mail helps you manage your Inbox to keep it free of unwanted e mail messages or downloaded softwares in the following ways:

¿½ The junk e mail filter is designed to catch obvious unsolicited commercial e mail messages (often called "spam") and move them to a special Junk e mail folder. You can increase or decrease the junk e mail protection level based on how much junk e mail you receive.

¿½ You can move e mail messages from the Junk e mail folder back to your Inbox and collect whatever needed for investigation

¿½ You can block messages from specific e mail addresses by adding them to the Blocked Senders list so as to view them later on.

¿½ You can prevent the blocking of messages from specific e mail addresses by adding them to the Safe Senders list.

Automated Investigation and Software for Automated Investigations

Now days automated softwares are the key factors in any security system due to their performances and they are also very user friendly.

¿½Why should i bust my hump when the computer can do it¿½ Craig Butler

Because most of these softwares are free or very cheap to download, the most effective ones can be found on these links

Technological development has brought possibilities to humanity which may have been unimaginable only a few decades ago. Means of communication, doing business and performing research and development have changed dramatically. Enhancements in terms of data transfer, processing capacity and storage is evident and constantly drives the development towards new fields of applications. Although the technological progress is accelerating, it is likely that the contemporary technology is not yet used at its peak capacity.


The purpose of this thesis is to identify and analyse security imbalance created in the following Information Technology Systems that have been so much emerged and used in many organisations now days.

a) Privacy and surveillance

b) ID cards and security

c) Voting Technology and Security

a) Privacy and surveillance

A growing number of organisations are adopting wide-ranging surveillance programs on the basis of new security policy agendas. Concurrently, contemporary information technology has brought an increasing proportion of the private sphere under the global network umbrella. These developments place the delicate balance between privacy and surveillance on the edge.

The security imbalances that can be found are:

1. They invade privacy - People are very much against this because it steps on their privacy and that they are viewed by others without their consent.

2. They are stationary - This equipment is steady in its place so there is no possibility for an offender to be caught if he knows there is a surveillance camera around. The offender can simply avoid passing in front of the camera.

3. Interference in signal - When there is an object between the camera and its subject, recording it becomes a failure.

4. It becomes useless once it has a scratch- Sometimes, this results to a waste of capital or money.

5. Audibility is a problem sometimes - This happens when the subject moves out of range of the equipment. Voices become inaudible.

b) ID cards and security

Basically we will look into more details about the scanners rather than the ID cards since the whole point of an identification cards relay on scanners

Types of ID cards scanners, their advantages and disadvantages

Electronic data capture (EDC) scanners: These scanners, commonly used for credit card authentication, read the information contained in the magnetic stripes found at the back of the credit card and transmit it to a central database which then gives clearance on the credit card.

They are the most basic type of card scanners. One of their disadvantages is that they can easily be hacked into. Also, they have very little storage space to fit in all the necessary data.

2D barcode readers: 2D barcode card readers or barcode scanners are based on the same principle as the EDC machines. The advantages that a 2D barcode reader has over the EDC machine is that as 2D barcodes contain more data than magnetic strips, a 2D barcode scanner verifies the additional data, making the security system a little more tighter.

Contact smart card scanners: They are used to read smart cards by making physical contact between the chip and the scanner, hence the name contact smart card scanner. These smart card scanners are quite expensive compared to the previous two types. This is one drawback of using smart card technology.

Contact-less or proximity smart card scanners: A contact-less smart card reader does not make physical contact with the chip on the card; here the contact is established by using RFID (Radio Frequency Identification) technology. Since there is no physical contact between the card and the scanner, there is no wear and tear, either of the card or of the scanner.

The proximity smart card reader picks up the radio waves emitted by the RFID tags in the card and carrying the cardholder's information, and determines whether or not an access should be granted to a facility or an activity.

Apart from being terribly expensive, contact-less smart card scanners have one more drawback. In principle, a sophisticated thief with a sophisticated reading machine can scan through the information on a card from a distance (maybe just standing behind you) and use it for his own benefit. Id card software thus has its drawbacks

C) Voting Technology and Security

Electronic voting (also known as e-voting) is a term encompassing several different types of voting, embracing both electronic means of casting a vote and electronic means of counting votes. Electronic voting technology can include punched cards, optical scan voting systems and specialized voting kiosks (including self-contained direct-recording electronic voting systems, or DRE). It can also involve transmission of ballots and votes via telephones, private computer networks, or the Internet

Analysis of electronic voting

Electronic ballots - Electronic voting systems may use electronic ballots to store votes in computer memory. Systems which use them exclusively are called DRE voting systems.

They argue further, the cost of software validation, compiler trust validation, installation validation, delivery validation and validation of other steps related to electronic voting is complex and expensive, thus electronic ballots are not guaranteed to be less costly than printed ballots.

Accessibility - Electronic voting machines can be made fully accessible for persons with disabilities. Punched card and optical scan machines are not fully accessible for the blind or visually impaired, and lever machines can be difficult for voters with limited mobility and strength.

Transparency - It has been alleged by technicians that a lack of testing, inadequate audit procedures, and insufficient attention given to system or process design with electronic voting leaves elections open to error and fraud.

Audit trails and auditing - A fundamental challenge with any voting machine is assuring the votes were recorded as cast and tabulated as recorded. And that is still a big problem and have a lot of risks associated with it

Hardware - Inadequately secured hardware can be subject to a physical tampering

Software ¿½ software used could be duplicated or hacked by malicious people

Recommendations for improvement

¿½ Increase security requirements for voting systems and expand access, including opportunities to vote privately and independently, for individuals with disabilities.

¿½ To reduce the potential for fraud, all electronic voting systems must be completely available to public scrutiny.

¿½ Requirement for use of open public standards and specifications such as the Election Mark-up Language (EML). These can provide consistent processes and mechanisms for managing and performing elections using computer systems.

In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behaviour, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited.

Buffer overflow attacks aim to alter the execution of a vulnerable program by copying data to a variable in such a way that the original storage capacity is exceeded. This may cause excess data to spill over the unallocated address space and overwrite the pointer to the next instruction after the function call. However, in order to deploy the attack successfully, execution must be accurately diverted to attacker¿½s arbitrary code. To do so, the attacker might develop a program, which can assemble the different components of the malicious buffer. Moreover, because the location of the vulnerable program in address space is determined at runtime, certain characteristics of the malicious buffer should be approximated in the code.

Programming languages commonly associated with buffer overflows include C and C++ (e.g. Mac OS X), which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array.

Technical description

A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying strings of characters from one buffer to another.


The techniques to exploit buffer overflow vulnerability vary per architecture, operating system and memory region. These vulnerabilities may be divided into three types, namely

a) Stack overrun

b) Heap overrun

c) Array indexing error

a) Stack overrun

A technically inclined and malicious user may exploit stack overrun to manipulate the program in one of several ways:

¿½ By overwriting a local variable that is near the buffer in memory on the stack to change the behaviour of the program which may benefit the attacker.

¿½ By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer.

¿½ By overwriting a function pointer, or exception handler, which is subsequently executed.

Example of a stack overrun

(i) A simple vulnerable program that omits the data integrity check;

(ii) the stack layout after this program is started;

(iii) The malicious buffer overflow, which overwrites the return address with the attacker¿½s desired return address.

The size of ¿½character¿½ is assumed 1 byte and the size of ¿½long¿½ is assumed 4 bytes. If the buffer overflow in the stack overwrites the return address, the execution of a program can be diverted to any arbitrary code. This is particularly dangerous if the program runs with super user privileges.

In order to deploy a successful overflow, the attacker should create a malicious buffer, which (1) contains a shell code and

(2) Overwrites the return address and gains control.

Shell code provides the assembly of instructions that spawn a root shell or adds a root privileged user. Since the address of the unchecked variable is determined at runtime, estimating the address of the first instruction in shell code is crucial (i.e. jumping elsewhere

In the shell code will have an undetermined outcome). To increase the chance of success of the malicious buffer, two supplementary components are added to the shell code. First, the end of the shell code is flooded with the desired return address.

by determining the address of the current stack pointer (ESP) and appending a suitable offset. Since the desired return address is an approximation and it is important to jump to the first instruction of the shell code, the head of the malicious buffer is filled with a special purpose instruction called ¿½no operation¿½ or NoOP, which is used to intentionally waste computational cycles.

Also note that these vulnerabilities are usually discovered through the use of a fuzzer.

b) Heap overrun

A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage and uses the resulting pointer exchange to overwrite a program function pointer.

Example of a Heap overrun

Microsoft's GDI+ (Graphic Design Interface) vulnerability in handling JPEGs (Joint Photographic Expert Group) is an example of the danger a heap overrun can present

c) Array Indexing error

Array is a list of values referred to by a single name. Arrays make it easy to access a list of related. They can store lists of names, values, or objects. Whenever you want to hold a list of values in memory for further processing or display, an array is an appropriate data structure

The set Index method replaces a value in the sorted list. The Index requires two arguments, the numeric index to set and the value associated with that index

The error occurs when the code tries to access an element of the array that does not exist. That UN existing array code normally is created by a hacker so that it could keep the server or client computer busy and use any opportunity to harm the system while the system is busy

Example of an Array Indexing Error

Examples of Array Indexing is happening when office programs for instance Microsoft Access, or Microsoft Excel tries to locate some data in the database that is not existed and that is when an array indexing error can occur