Encrypting File System (EFS) is a built-in Windows feature that provides file-level encryption to protect sensitive data stored on NTFS volumes. Unlike full-disk encryption solutions like BitLocker, EFS encrypts individual files and folders using per-file encryption keys tied to a user’s Windows account. Only the user who encrypted the data—or authorized recovery agents—can decrypt and access the protected content. EFS operates transparently in the background: if the correct user is logged in, files open normally; if not, the data remains unreadable. This makes EFS useful for securing specific files such as documents, reports, and forensic artifacts stored on a shared or multi-user system.

If during a live preview of a machine, EFS in detected on files- we need to get the PFX Certificate to be able to view and decrypt these files back in the lab. This script will collect the PFX Certificate and assign the certificte the password 'forensics' and save it to the drive from where the script was ran.

Download the BAT file and the ps1 file onto a drive for triage. Double click the .bat file.

You may need to chose the user who's key you want to collect in the terminal window.

Apply the key on your forensic workstation by double-clicking the certificate, and apply the password 'forensics'