Even if they are encrypted on the machine using Windows Encrypted File System (EFS), the attacker can still log on to the machine with administrator access. As long as the EFS-protected files are encrypted by a user other than the default administrator, the attacker can use admin privileges to dump the machine's local SAM database. He could then crack the user's password for the account that encrypted the file, relying on a free password cracking tool such as Cain or John the Ripper, and use this password to gain access to the files, with EFS transparently un-encrypting the files for the user.
Yet there are stronger methods available beyond EFS, like whole-disk encryption technologies that encrypt everything, including the operating system booted via a special secure boot loader. Attackers are not above using simple trial and error, which is a possibility that should not be discounted. For instance, a malicious hacker could create a hardware device that interfaces with the USB port of a stolen laptop, trying thousands of passwords per hour, possibly eventually guessing one successfully.
But, in February 2008, another useful attack vector called a "cold-boot" was discussed widely. It was based on some fascinating research from Ed Felton's team at Princeton University. In this so-called cold-boot attack, the bad guy takes a hibernating machine and disconnects power. As we all know, RAM is volatile, but it's not volatile enough so that secrets (including passwords and crypto keys) stored in memory vanish instantly; in fact, they remain for several minutes and potentially longer if the memory is cooled. After removing power, the attacker can boot the system to an external device, such as a CD or USB token, and dump RAM, storing the results on the USB drive or sending it across the network. The attacker can then scour the memory image looking for the data structures that store the secret needed to decrypt the laptop. With this secret, the attacker can either copy the entire encrypted partitions or reboot the machine and have the built-in software decrypt it. There's even free software appearing now that helps automate part of this attack, particularly the boot process and dumping of memory.
This was first published in May 2008