Recovering Windows Secrets and EFS Certificates Offline
In this paper we present the result of our reverse-engineering of DPAPI, the Windows API for safe data storage on disk. Understanding DPAPI was the major roadblock preventing alternative systems such as Linux from reading Windows Encrypting File System (EFS) files. Our analysis of DPAPI reveals how an attacker can leverage DPAPI design choices to gain a nearly silent backdoor. We also found a way to recover all previous passwords used by any user on a system. We implement DPAPI data decryption and previous password extraction in a free tool called DPAPIck. Finally, we propose a backward compatible scheme that addresses the issue of previous password recovery.