Encryption Filling System EFS Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Encryption is the process of hiding or changing completely the original meaning of information for security purposes. It is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. Encryption is used for encoding data not to be used by an outsider. EFS is a feature of an operating system (windows XP) that allow to store information on a hard disk and in an encryption form.

Authorizing Multi-User Access to Encrypted Files where users can share encrypted files with other local, domain, and trusted domain users. Authorizing user access to encrypted files is a separate process from sharing files for network access by using share-level security and access control lists. Because there is no method to issue a certificate for a group, only individual user accounts can be authorized for access to an

encrypted file. Groups cannot be authorized for access. You cannot issue a certificate to a group as certificates must be issued to security principles that represent an object that authenticates to the directory service (e.g. users or machines - not groups)

Support for multiple users on folders is not provided in windows XP but EFS does support file sharing between multiple users on a single file.

This is because it diverse from Windows XP because EFS states that the users who will be authorized to access the encrypted file must have EFS certificates. These certificates can be located in roaming profiles or in the user profiles on the computer on which the file to be shared is stored, or they can be stored in and retrieved from Active Directory. Since you do not have EFS encryption on a folder, you may mark a folder as encrypted - you are actually just saying that all files within that folder are to be encrypted individually. As you can see if you look at the advanced attributes of an EFS "encrypted" folder the Details button is grayed out so you cannot add any other users to the folder. EFS functions at the file level.

Windows XP performs revocation checking on all certificates for users when they're added to an encrypted file.

Instead of sending the complete access key to another user, you can also set access permissions on individual files residing on EFS. For performance reasons, users that hold a private key and recovery agent certificates are not checked for revocation, they are only verified for time validity. However, user certificates that do not contain a CDP (Certificate Revocation List Distribution Point) extension (such as those from some 3 rd party CAs) will not be validated for revocation status when added to a file. If the user does not chain to a trusted root CA certificate, or the certificate is not installed in the Trusted People certificate store, the user will be warned before adding the certificate. If the revocation status check on a certificate fails, the messages shown in Figure below will be displayed and the certificate will not be used.


Figure : Failed check of certificate revocation status

If the user selects to add a certificate that does not chain to a trusted root certificate authority, it will not be added:

If the user selects to add a self-signed cert that was installed by another user on the same machine, the user will be allowed to add it if they choose "Yes":

If the revocation status and chain building completed successfully, the user will be added to the dialog box and the file updated

Different results can occur when moving or copying encrypted files between locations.

The Windows XP Professional client contains some enhancements in the area of copying encrypted files. Both the shell interface and the command-line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.

Because of the unique nature of encrypted files, different results can occur when moving or copying encrypted files between locations. For example, when copying an encrypted file from a local machine to a server on the network, different results of the copy operation will occur depending on the operating system being used on the server. In general, copying a file will inherit the EFS properties of the target, but a move operation will not inherit the EFS properties of the target folder.

Once EFS uses a certificate, it is cached on the local machine.

Certificates are usually provided for you automatically, they are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. If roaming user profiles are not used, multiple certificates may be available on the user account and subsequently, not available when encrypting files on some servers. Note that machine certificates (denoted by a machine name with a $ extension) may be displayed in this User Interface (UI) if encrypted offline folders is in effect on the local machine.

You must be logged on as an administrator to perform these steps.

You must be logged on to a domain that has an enterprise certification authority to request a new certificate. Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. These steps only work to request a certificate from an enterprise certification authority. These steps are:


Create user

Install program

Revoke certificate

Changing policy

You can lose access to encrypted files if you install a new operating system or upgrade your current one, or if the current operating system fails.

Operating system can become a problem when updated on changed to encrypted files resulting to loosing access to encrypted files but there are some steps to be followed when this happens:

To open encrypted files stored on a system partition after re-installing the operating system, follow the steps below to re-install your original certificate and key. OR. To recover encrypted files stored on an external hard disk, connect the hard disk to the new computer. OR. To recover encrypted files that are stored on a different partition from your operating system, move the encrypted files to a computer that is working or install a functional operating system on the current computer.

Insert the removable media that your certificate and key are saved on. And Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing ENTER.

Click the Personal folder. Click the Action menu, point to All Tasks, and then click Import. This opens the Certificate Import wizard. Click Next.

Type the location of the file that contains the certificate, or click Browse and navigate to the file's location, and then click Next. If you have navigated to the right location but don't see the certificate you are importing, then, in the list next to the File name box, click Personal Information Exchange.

Type the password, select the Mark this key as exportable check box, and then click Next. Do not enable strong private key protection.

Click Place all certificates in the following store, confirm that the Personal store is indicated, click Next, and then click Finish. After you import the certificate, you should have access to the encrypted files.

Task 2


Cookies are certain files containing location path of the previous viewed field that was visited. They are pieces of text stored on a user's computer by their web browser they may be set by the server with or without an expiration date. A cookie is information that a Web site puts on your hard disk so that it can remember something about you at a later time. A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a piece of text stored on a user's computer by their web browser.

A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data. Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Tracking cookies may be used to track internet users' web browsing habits. Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits. Cookies are not spyware or viruses and they can't read information from a computer neither are cookies the source for pop-ups or spam.

The following are some of the private implications that cookies have:

If a cookie is stolen by another computer that is allowed reading from the network Traffic on a network can be intercepted and read by computers on the network other than the sender and receiver (particularly over unencrypted open Wi-Fi). This traffic includes cookies sent on ordinary unencrypted HTTP sessions. Where network traffic is not encrypted, attackers can therefore read the communications of other users on the network, including HTTP cookies as well as the entire contents of the conversations.

If an attacker was able to insert a piece of script to a page on a certain website, and a victim's browser was able to execute the script, the script could simply carry out the attack. This attack would use victim's browser to send HTTP requests to servers directly; therefore, the victim's browser would submit all relevant cookies, including Http Only cookies, as well as Secure cookies if the script request is on HTTPS

How things Works has a strict privacy policy and does not sell or share any personal information about our readers with any third party except in cases where you specifically tell us to do so (for example, in an opt-in e-mail program). Different sites have different policies. Information is aggregated together and distributed.

URL History Uniform Resource Locator, the global address of documents and other resources on the World Wide Web. A URL is the address of a specific Web site or file on the Internet. It cannot have spaces or certain other characters and uses forward slashes to denote different directories. Some examples of URLs are http://www.cnet.com/. For example, each time you type in a word into the URL address bar, a previously viewed website appears in the drop down menu of your browser. If someone has previously visited www.cnet.com, This URL will show for all URL you enter beginning with the letter "C".

As you can see, not all URLs begin with "http". The first part of a URL indicates what kind of resource it is addressing. Here is a list of the different resource prefixes:

http - a hypertext directory or document (such as a Web page)

ftp - a directory of files or an actual file available to download

gopher - a gopher document or menu

telnet - a Unix-based computer system that you can log into

news - a newsgroup

WAIS - a database or document on a Wide Area Information Search database

file - a file located on your hard drive or some other local drive

The second part of a URL (after the "://") contains the address of the computer being located as well as the path to the file. For example, in "http://www.cnet.com/Content/Reports/index.html," "www.cnet.com" is the address or domain name of the host computer and "/Content/Reports/index.html" is the path to the file. When a address ends with a slash and not something like ".html" or ".php," the Web server typically defaults to a file in the current directory named "index.html," "index.htm," or "index.php." So, if you type in "http://www.apple.com/" and "http://www.apple.com/index.html," you should get the same page. Go ahead and try it if you have nothing better to do.

Internet Temporary Files is the name of a folder (directory) on your hard disk that is used by Internet Explorer to store Web pages, images, audio and video files, and other content from the Web sites that you are visiting. This folder is also known as the cache of Internet Explorer. The cache or Temporary Internet Files are files like graphics, Web pages, cookies, and so forth, that is stored on your computer's hard disk to speed up surfing.

Everyone with access to your computer can look into your Temporary Internet Files folder and see the sites that you have visited in the past. You can manually delete the contents of Temporary Internet Files folder but this will not erase all traces of the pages because a special file called Index.dat is placed in this folder and it will still preserve the names and even the dates of your first visits to many pages.

Print lists of sample entries of each type from my hard drive on my PC.

D:\Documents and Settings\Neema\Local Settings\Temporary Internet Files

Location of the following files:

Cookies in windows XP is, the location of this folder depends on the version of Windows you have.

For Windows XP and Windows 2000 you can find cookies folder in the following location:

C:\Documents and Settings\[username]\Cookies\

Note: If you have only one user account, you should replace [username] with Administrator.

The location of cookies files for Windows ME/NT/98/95:

C:\Windows\Cookies\ (If you don't have Profiles directory)

C:\Windows\Profiles\[username]\Cookies\ (If you have Profiles directory)

Note: on your computer Windows may be installed on another drive or in another directory.

By default, cookies location in Vista:


Note: on your computer Windows may be installed on another drive or in another directory.

Cookies are stored by your browser rather than the operating system, so if you run two different browsers you will have 2 different sets of cookies stored.

For internet explorer you can specify where you want them stored, to find where they are stored Click the tools menu in the menu bar at the top (or the tools button on the right) and select Internet Options. In the Browsing history section of the Internet options menu hit the Settings button. In the settings window it displays the 'current location' of the temporary files (including cookies)

URL history in Windows XP Internet explorer -- D:\Documents and Settings\Neema\Local Settings\History

Internet Temporary Files in Netscape are located at D:\Documents and Settings\Neema\Local Settings\Application Data\Netscape\Navigator\Profiles\r15bjabj.default\Cache

Web History Location in Windows Vista and Windows 7


 OR  C:\Users\\Local\Microsoft\Windows\History\History.IE5\Low\index.dat

This task explains how one can delete these files; the Temporary Internet Files (or cache) folder contains Web page content that is stored on your hard disk for quick viewing. This cache permits Internet Explorer or MSN Explorer to download only the content that has changed since you last viewed a Web page, instead of downloading all the content for a page every time it is displayed.

To delete the files in the Temporary Internet Files folder follow these steps:

Earlier Versions of windows:

Quit Internet Explorer and quit any instances of Windows Explorer.

Click Start, click Control Panel, and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.

Click OK.

Windows 7 and Windows Vista

Click the Start button, click Control Panel, click Network and Internet, and then click Internet Options.

Click the General tab, and then click Delete under Browsing history.

Click Delete all, click Yes to confirm that you want to delete this information, and then click OK.


Click Options.

Click clear Private data

Click clear private data now

Task 3


Forensic Investigators are used to find evidence of data to present on the court of Law. They use URL history, Cookies and temporary Internet files during the process of evidence gathering. This is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information

Let us see the steps necessary to investigate these activities:

Excessive use of Internet

The phproxy.org is "dedicated to bringing you fast web browsing from behind web filters".

Simply tap in the URL of that banned site you really must see, it could be Facebook, MySpace, Youtube, or a renegade blogger behind enemy lines, and you will be able to access it with no problems.

More seriously, the proxy allows you to visit a site anonymously because it is the proxy itself that is visiting the banned site not you, and so keeps your browsing hidden from prying eyes allowing you to protect your online identity.

Such a proxy also allows you to visit sites that have banned your IP. This might be a forum or just a website or blog from which you or other users on your IP range (whether on your school or company network or your ISP account) have been barred access. The proxy server is an open gateway between your web destination and you.

Other proxies exist, such as www.the-cloak.com (please make sure you include the hyphen in that URL or you will be in for a shock), and the proxy.org site provides a shipload more. Of course, we should add a disclaimer at this point, please don't use proxies or anonymizers to break the law or to cause malice and please don't abuse the service as they are usually free.

If the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool) prior to removing an exhibit.

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.

Visits to banned web sites

This could be viewed by a common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always delete physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.

Another one is a neat proxy-type hack that I had not previously seen involving Google translation. Usually, one would only wish to translate from one language to another, there would be no point in translating from French to French, or English to English would there? Well, there might be a point. Those translated pages of Google's are essentially a proxy cached version of the original page, so could provide a simple way around nanny filters that block sites with specific adult keywords.

The hack is very simple:

Carry out a standard Google translation. For instance, translate the Sciencetext homepage into French.

Next, go to your browser address bar.

Control-L in Firefox under windows.

Navigate to the fr in the URL and change it to en.

Hit the return key and Google dutifully translates the Sciencetext page from English to English.

Use of an unauthorized software

Software restriction policies are a new feature in Microsoft Windows XP and Windows Server 2003. This important feature provides administrators with a policy-driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute. Software restriction policies can improve system integrity and manageability which ultimately lowers the cost of owning a computer.

The purpose of a rule is to identify one or more software applications, and specify whether or not they are allowed to run. Creating rules largely consists of identifying software that is an exception to the default rule. Each rule can include descriptive text to help communicate why the rule was created.

A software restriction policy supports the following four ways to identify software:

Certificate: A software publisher certificate used to digitally sign a file.

Path: The local or universal naming convention (UNC) path of where the file is stored.

Hash: A cryptographic fingerprint of the file.

Zone: Internet Zone

The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Task 4


Technology often creates security imbalance. It makes something cheaper, or more expensive, making your system faster or more time consuming.Technology advances can make some attacks easier, or it can make some defenses easier. Here are some of the technologies:

Privacy and surveillance:

Surveillance is the monitoring of the behavior, activities, or other changing information, usually of people and often in a surreptitious manner. It most usually refers to observation of individuals or groups by government organizations, but disease surveillance, for example, is monitoring the progress of a disease in a community.

Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. Within a liberal political framework privacy rights are principally and undeniably individualistic, and are, of course, not without their critics. Restricting the activity of the state reduces its ability to intervene to ensure that society is organized more equitably for the weakest groups, or to ensure that a greater balance is struck between individual rights and social responsibilities.

Advantages of installing security cameras

Provides officials with evidence that would not be available otherwise

With constant video monitoring, school officials have access to detailed evidence of any suspicious or criminal activity.


Acts as a crime deterrent

It is a proven fact that people are less likely to commit a crime if they know that they are being watched. If students are aware of the fact that their school is being monitored, vandalism and other acts of violence may be greatly reduced. In addition, in the event a crime is caught in action, emergency officials will be better able to contain the situation.


Instills a sense of security for both parents and students

It is a comfort to many to know that their school is being monitored on a daily basis. Care must be taken though to ensure that video footage is actually being monitored on a regular and timely basis. A sense of security can be dangerous if the security measures implemented are not being properly utilized.

Disadvantages of installing security cameras

Set-up and maintenance costs can be too prohibitive

There is a definite cost involved to purchasing, installing, and monitoring security surveillance cameras. While this can be a definite hindrance to some school districts, it is important to research all of your options before you completely dismiss the idea due to cost concerns. The cost of surveillance equipment has dropped dramatically over recent years, and many systems require very little effort to install and maintain. With a little bit of research, this drawback may be easily overcome.


Invasion of privacy rights may pose legal liability

It would be wise to investigate any potential legal concerns your school could face by installing surveillance equipment. Any risks of potential privacy violations can be avoided with a clear understanding of where and how security cameras can be installed.

Due to this Technology; For Managers it will need more cost to buy system and hire personnel. It is a disadvantage for employees because they get Loss their privacy and Make distrust in work relationship.

ID Cards and Security

Identification Cards are the card which Identifies you to a certain location performing a certain task. They simply proves your Identity in writings. This could be Voters Id, national ID, insurance card, Work Id, Passport etc. Lets have a look at a voter's Id, this is the identification that you qualify to vote for a certain leader in the government.

A voter identification card offers a number of advantages:

It is a reliable form of identification.

It serves as acknowledgement that the voter is duly registered.

It may include several identifying features (e.g. photograph, signature, fingerprints) to provide greater assurance that the voter is who he or she claims to be.

It may be marked when the voter has obtained a ballot, preventing multiple voting.

It can be designed to be suitable for an electorate with a low literacy rate.

It can be an effective form of identification where many voters have no fixed address.

It facilitates voting in areas where a voter may not be known personally.

It can be issued together with voter education material.

In addition, there may be other, less tangible reasons for favouring voter identification cards. For example, according to a study of photo ID cards, the cards were said to convey to voters a feeling of pride in their right to participate in the electoral process.

The voter identification card has a number of disadvantages:

It may be very costly to produce and update. This is not always the case, but costs rise as security features are added and the card comes to be regarded as the primary piece of identification held by citizens.

The high costs must be borne by the government, the voter or both. If the cost is passed on to the voter, a lower proportion of eligible voters will obtain a card.

It can be lost or stolen.

A significant administrative structure must be in place to produce the cards.

It must be produced with appropriate technology. If there is no electricity at the registration and card-issuing sites, cards may be sealed with a cold laminate or may be unsealed.

Some voters will arrive at the polling station without their card. Procedures must be developed to deal with this situation.

It must be updated periodically. Cards wear out over time and the pictures on them become dated. Hence the need for a system to replace cards regularly.

The election authority must have a reliable system for delivering cards. Ideally the card should be produced when the voter registers, but this may not be practical or feasible.

Voting Technology and Security

Electronic voting machines represent a grave threat to fair and accurate elections. To understand the security of electronic voting machines, you first have to consider election security in general. The goal of any voting system is to capture the intent of each voter and collect them all into a final tally.


Minimizing the number of steps,

Increasing the reliability of each step.

The problem is software programs that are hidden from view and cannot be verified by a team of Republican and Democrat election judges, programs that can drastically change the final tallies. And because all that's left at the end of the day are those electronic tallies, there's no way to verify the results or to perform a recount. Recounts are important.

And therefore due to all this research, I would go for Privacy and surveillance because it has few disadvantages.

Task 5


Vulnerabilities are weaknesses that can lead your system to be attacked by malicious people like the attackers. An example of how this can occur is by e.g. not updating softwares, not updating the ant viruses. Buffer overflows are a favorite exploit for hackers. The vast majority of Microsoft's available patches fix unchecked buffer problems -- but what about applications developed in-house? They are just as susceptible as commercial applications to buffer-overflow attack. It is therefore critical that you understand how they work and perform vulnerability testing on your home-grown applications prior to deployment.

A buffer overflow is an exploit that takes advantage of a program that is waiting on a user's input.

. :

Stack overrun: However, a stack does not have an infinite potential size. The programmer who develops the code must reserve a specific amount of space for the stack. If the user's input is longer than the amount of space reserved for it within the stack, then the stack will overflow. This in itself isn't a huge problem, but it becomes a huge security hole when combined with malicious input.

For example, suppose a program is waiting for a user to enter his or her name. Rather than enter the name, the hacker would enter an executable command that exceeds the stack size. The command is usually something short. In a Linux environment, for instance, the command is typically EXEC("sh"), which tells the system to open a command prompt window, known as a root shell in Linux circles.

Heap Overrun: It attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. heap overflow is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.

A heap overrun is much the same problem as a stack-based buffer overrun, but it's somewhat trickier to exploit. As in the case of a stack-based buffer overrun, your attacker can write fairly arbitrary information into places in your application that she shouldn't have access to. One of the best articles I've found is w00w00 on Heap Overflows, written by Matt Conover of w00w00 Security Development (WSD). You can find this article at w00w00.org/files/articles/heaptut.txt. WSD is a hacker organization that makes the problems they find public and typically works with vendors to get the problems fixed. The article demonstrates a number of the attacks they list, but here's a short summary of the reasons heap overflows can be serious:

Many programmers don't think heap overruns are exploitable, leading them to handle allocated buffers with less care than static buffers.

Tools exist to make stack-based buffer overruns more difficult to exploit. StackGuard, developed by Crispin Cowan and others, uses a test valueвЂ"known as a canary after the miner's practice of taking a canary into a coal mineвЂ"to make a static buffer overrun much less trivial to exploit. Visual C++ .NET incorporates a similar approach. Similar tools do not currently exist to protect against heap overruns.

Some operating systems and chip architectures can be configured to have a nonexecutable stack. Once again, this won't help you against a heap overflow because a nonexecutable stack protects against stack-based attacks, not heap-based attacks.

Array Indexing error: are much less commonly exploited than buffer overruns, but these represent just an array of characters, and arrays of other types could also be used to write to arbitrary memory locations. A typical way to be attacked with this sort of error occurs when a user tells you how many elements to expect, and is then allowed to randomly access the array after it is created because you have failed to enforce bounds checking.

The array in the example starts at 0x00510048, and the value the attacker would like to write is the return value on the stack, which is located at 0x0012FF84. The following equation describes how the address of a single array element is determined by the base of the array, the index, and the size of the array elements:

Address of array element = base of array + index * sizeof(element)

Substituting the values into the equation produces:

0x10012FF84 = 0x00510048 + index * 4

Note that 0x10012FF84 is used in the equation instead of 0x0012FF84. A little quick work with Calc.exe shows that index is 0x3FF07FCF, or 1072725967, and that the address of bar (0x00401000) is 4198400 in decimal. Here are the program results:

[d:\]ArrayIndexError.exe 1072725967 4198400

Address of bar is 00401000

Address of IntVector is 00510048

Writing memory at 0012FF84

You have been hacked!

As you can see, this sort of error is trivial to exploit if the attacker has access to a debugger.