22

Can an NTFS volume be read by forensics without having to log into the windows user or provide any passwords? aka can data be read straight from the sectors in clear text?

ZedPython
  • 339
  • 2
  • 5
  • 2
    You don't need any specialists for this. Just plug the drive into another working computer, and it'll show up as a new Drive Letter under the File Explorer. – SnakeDoc Mar 02 '20 at 17:04
  • @Mast Doesn't your average modern USB drive use exFat? That's what mine is, anyway. Certain vehicles and cameras require USB drives to be formatted as FAT32 so that's what most of my USB drives and SD cards are formatted as. – StalePhish Mar 02 '20 at 18:45
  • 2
    @StalePhish Most hardware uses FAT because of interoperability and easier implementation when it comes to MCUs for example. – Num Lock Mar 03 '20 at 10:03

2 Answers2

44

No, NTFS is not encrypted by default.

can data be read straight from the sectors in clear text?

Yes, by default NTFS files are unencrypted. Since NTFS 3.0, EFS (Encrypting File System) is a feature of NTFS, but

By default, no files are encrypted, but encryption can be enabled by users on a per-file, per-directory, or per-drive basis.

grg
  • 155
  • 1
  • 1
  • 8
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 24
    Note that EFS cannot encrypt system directories, as keys are per-user (stored in the user profile/encrypted with user credentials). I also don't believe it can be enabled on entire drives, at least in modern Windows versions. BitLocker is the MS-recommended method for full disk encryption. – Bob Mar 01 '20 at 14:01
13

It actually doesn't need any forensics effort and is routinely done by Windows sysadmins.

  1. Change the password of the Windows admin by booting a toolset of choice or simply attach the disk to a Windows machine that you control
  2. Take ownership of the files in question (if needed)
  3. Profit.

OR:

Mount the NTFS partition under Linux, BSD or MacOS. No file permissions are enforced by default.


It is possible to encrypt a file, folder or an entire non-system partition in NTFS. It has to be explicitly done. Depending on how it is done it can be more or less secure.

fraxinus
  • 3,425
  • 5
  • 20