Detecting if encrypted files exist

(imported topic written by SystemAdmin)

I’m trying to create an analysis to detect if encrypted files exist on a computer. I don’t need to know what files or the locations, only if a machine has any encrypted files. The only way I know how to do this is running the cipher command. I don’t want to do that because that would force each client to scan their entire disk for files.

Any ideas?

(imported comment written by NoahSalzman)

Um… you sorta have pointed out the inherent problem right there in your question. Here is another way of asking your question:

“I want to find all files that contain the string ‘XYGEQNWF’ but I don’t want to have to scan all the files on the hard drive.” :slight_smile:

I suppose that, for machines that have an indexed searching function, you could use that function in a clever way… but at that point you are relying on the currency of that index and the ability of the searching function to be able to identify a particular encryption format.

(imported comment written by SystemAdmin)

I guess I was hoping there might be a key or cert created only if file encryption has been used.

(imported comment written by NoahSalzman)

Ah, well, if you are looking for “markers” that is a lot easier than inspecting files. Is this a particular program you are considering (PGP, Bitlocker, etc.)?

(imported comment written by SystemAdmin)

I want to see if any files have ever been flagged as encrypted using windows file encryption (EFS).

(imported comment written by cstoneba)

try looking at the windows 'cipher’command, or EFSINFO (found in the Windows Server 2003 Support Tools), but with eiether of these methods, you would have to scan through all windows files, would would be costly.

efsinfo /s:c: | find “: Encrypted”