Friday, August 7, 2015

“EFS” on FAT drives in Windows 10

Doesn’t this look weird to you?

clip_image002

It sure looks like there’s an encrypted file on a FAT volume, doesn’t it? EFS has always been said to be a file system service available only to the NTFS volumes…

Well now it gets interesting ‘cause EFS requires alternate data streams for the metadata and only NTFS supports ADS. If we take a _really_ close look at that file it actually isn’t EFS encrypted although it looks and behaves like one. It’s actually an encrypted PFILE and Enterprise Data Protection takes care of storing required metadata. The file system has been changed to present it like an EFS-file to the rest of the OS.