{"id":"https://openalex.org/W2093344556","doi":"https://doi.org/10.1080/15567280701721905","title":"Forensic Extraction of EFS-Encrypted Files in Live System Investigation","display_name":"Forensic Extraction of EFS-Encrypted Files in Live System Investigation","publication_year":2008,"publication_date":"2008-03-13","ids":{"openalex":"https://openalex.org/W2093344556","doi":"https://doi.org/10.1080/15567280701721905","mag":"2093344556"},"language":"en","primary_location":{"id":"doi:10.1080/15567280701721905","is_oa":false,"landing_page_url":"https://doi.org/10.1080/15567280701721905","pdf_url":null,"source":{"id":"https://openalex.org/S127916260","display_name":"Journal of Digital Forensic Practice","issn_l":"1556-7281","issn":["1556-7281","1556-7346"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320547","host_organization_name":"Taylor & Francis","host_organization_lineage":["https://openalex.org/P4310320547"],"host_organization_lineage_names":["Taylor & Francis"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Digital Forensic Practice","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5053493321","display_name":"Ewa Huebner","orcid":null},"institutions":[{"id":"https://openalex.org/I63525965","display_name":"Western Sydney University","ror":"https://ror.org/03t52dk35","country_code":"AU","type":"education","lineage":["https://openalex.org/I63525965"]}],"countries":["AU"],"is_corresponding":true,"raw_author_name":"Ewa Huebner","raw_affiliation_strings":["\n                   \n               University of Western Sydney, School of Computing and Mathematics, Penrith Campus Locked bag 1797, Penrith South, DC, 1797, Australia","University of Western Sydney, School of Computing and Mathematics, Penrith South, DC, Australia#TAB#"],"affiliations":[{"raw_affiliation_string":"\n                   \n               University of Western Sydney, School of Computing and Mathematics, Penrith Campus Locked bag 1797, Penrith South, DC, 1797, Australia","institution_ids":["https://openalex.org/I63525965"]},{"raw_affiliation_string":"University of Western Sydney, School of Computing and Mathematics, Penrith South, DC, Australia#TAB#","institution_ids":["https://openalex.org/I63525965"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5083136224","display_name":"Derek Bem","orcid":null},"institutions":[{"id":"https://openalex.org/I63525965","display_name":"Western Sydney University","ror":"https://ror.org/03t52dk35","country_code":"AU","type":"education","lineage":["https://openalex.org/I63525965"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Derek Bem","raw_affiliation_strings":["\n                   \n               University of Western Sydney, School of Computing and Mathematics, Penrith Campus Locked bag 1797, Penrith South, DC, 1797, Australia","University of Western Sydney, School of Computing and Mathematics, Penrith South, DC, Australia#TAB#"],"affiliations":[{"raw_affiliation_string":"\n                   \n               University of Western Sydney, School of Computing and Mathematics, Penrith Campus Locked bag 1797, Penrith South, DC, 1797, Australia","institution_ids":["https://openalex.org/I63525965"]},{"raw_affiliation_string":"University of Western Sydney, School of Computing and Mathematics, Penrith South, DC, Australia#TAB#","institution_ids":["https://openalex.org/I63525965"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5053493321"],"corresponding_institution_ids":["https://openalex.org/I63525965"],"apc_list":null,"apc_paid":null,"fwci":1.7559,"has_fulltext":false,"cited_by_count":5,"citation_normalized_percentile":{"value":0.86018932,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"2","issue":"1","first_page":"1","last_page":"12"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12357","display_name":"Digital Media Forensic Detection","score":0.9966999888420105,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12357","display_name":"Digital Media Forensic Detection","score":0.9966999888420105,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9955999851226807,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.983299970626831,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5657976269721985},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.5643113851547241},{"id":"https://openalex.org/keywords/extraction","display_name":"Extraction (chemistry)","score":0.43262535333633423},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.38879865407943726},{"id":"https://openalex.org/keywords/chemistry","display_name":"Chemistry","score":0.11755836009979248}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5657976269721985},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.5643113851547241},{"id":"https://openalex.org/C4725764","wikidata":"https://www.wikidata.org/wiki/Q844704","display_name":"Extraction (chemistry)","level":2,"score":0.43262535333633423},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.38879865407943726},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.11755836009979248},{"id":"https://openalex.org/C43617362","wikidata":"https://www.wikidata.org/wiki/Q170050","display_name":"Chromatography","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1080/15567280701721905","is_oa":false,"landing_page_url":"https://doi.org/10.1080/15567280701721905","pdf_url":null,"source":{"id":"https://openalex.org/S127916260","display_name":"Journal of Digital Forensic Practice","issn_l":"1556-7281","issn":["1556-7281","1556-7346"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320547","host_organization_name":"Taylor & Francis","host_organization_lineage":["https://openalex.org/P4310320547"],"host_organization_lineage_names":["Taylor & Francis"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Digital Forensic Practice","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.7099999785423279}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":10,"referenced_works":["https://openalex.org/W136501077","https://openalex.org/W142045744","https://openalex.org/W625206410","https://openalex.org/W1559809477","https://openalex.org/W1565792826","https://openalex.org/W1988619474","https://openalex.org/W2070320970","https://openalex.org/W2083065619","https://openalex.org/W2117420234","https://openalex.org/W4233873638"],"related_works":["https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W2358668433","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W2382290278","https://openalex.org/W2478288626","https://openalex.org/W4391913857","https://openalex.org/W2350741829","https://openalex.org/W2530322880"],"abstract_inverted_index":{"ABSTRACT":[0],"Encrypted":[1],"files":[2,39,61,93],"captured":[3],"by":[4,66,180],"acquiring":[5],"a":[6,95,105,148],"bit-by-bit":[7],"image":[8],"in":[9,78,158],"the":[10,23,26,35,46,54,67,70,88,116,125,132,163,181],"process":[11],"of":[12,28,90,100,115,185],"conventional":[13,173],"forensic":[14,194],"investigation":[15,155],"are":[16],"practically":[17],"impossible":[18],"to":[19,37,142],"decrypt":[20],"without":[21],"knowing":[22],"key":[24],"and":[25,69,130,183],"method":[27,99],"encryption.":[29],"The":[30,98,121],"Windows":[31],"operating":[32],"system":[33,58,71,118,154,164,193],"provides":[34],"option":[36],"encrypt":[38],"using":[40],"an":[41,79],"encryption":[42],"driver":[43],"bundled":[44],"with":[45],"New":[47],"Technology":[48],"File":[49],"System":[50],"(NTFS)":[51],"file":[52,57,81,117,190],"system,":[53],"so-called":[55],"encrypting":[56,189],"(EFS).":[59],"EFS":[60],"can":[62,139],"be":[63,140,143,170],"manipulated":[64],"transparently":[65],"owner":[68],"administrator":[72],"as":[73,75],"long":[74],"they":[76],"reside":[77],"NTFS":[80],"system.":[82,97],"In":[83],"this":[84,137],"article":[85],"we":[86],"demonstrate":[87],"methodology":[89],"extracting":[91],"EFS-decrypted":[92],"from":[94],"live":[96,153],"extraction":[101,133],"is":[102,134,156],"built":[103],"around":[104],"software":[106],"utility,":[107],"Robocopy,":[108],"which":[109],"does":[110],"not":[111],"modify":[112],"any":[113],"metadata":[114],"during":[119],"extraction.":[120],"hash":[122],"value":[123],"for":[124],"encrypted":[126],"data":[127],"calculated":[128],"before":[129],"after":[131],"identical,":[135],"so":[136],"approach":[138],"considered":[141],"forensically":[144],"sound.":[145],"We":[146],"present":[147],"scenario":[149],"that":[150,152],"shows":[151],"indispensable":[157],"obtaining":[159],"complete":[160],"information":[161,168],"about":[162],"being":[165],"examined.":[166],"This":[167],"would":[169],"lost":[171],"if":[172],"methods":[174],"were":[175],"applied,":[176],"even":[177],"when":[178],"supplemented":[179],"capture":[182],"analysis":[184],"physical":[186],"memory.":[187],"KEYWORDS:":[188],"systems":[191,196],"EFSlive":[192],"analysisfile":[195],"security":[197]},"counts_by_year":[],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}