Chopping Down Artifacts from AxCrypt

AxCrypt is a tool that I recently came across that can encrypt your files on the go and quickly. As a company, they have been around since 2002 but their 2.0 product was released just in 2016. It has won multiple awards as their site shows.

There are two versions that you can download, an EXE installer version and a portable version. Before being able to use AxCrypt, you have to set up an account with an email address and a master password that will be used to encrypt/decrypt everything.

The interface is pretty simple, you add files to the tool and it automatically encrypts the file using AES-128 or AES-256 (depending on your license).

User/Install Information

In the AppData folder for the user that it was installed/run on, 4 text documents are present:

C:\Users\<USERNAME>\AppData\Local\AxCrypt\

FileSytemState - Includes "watchedFolders", folders setup to auto encrypt, "activeFiles" which appears to be recent files, including "decryptedFolder" paths, decrypted file names, encrypted file paths, as well as last activity times and last encryption write times

UserAccounts - Displays information regarding the email address associated with the product, the account "level" type or license type, expiration date for the account, and public and private key information

UserPublicKeys - Shows the email address as well as the public key associated with it (I'm assuming if you import more keys they would show here as their is a flag for "user_imported")

UserSettings - Details settings for the actual application (version #, update URL, window height/width, last update check date/time)

Renames and LNKs

Looking at the USN journal you see that once a file gets loaded into the tool for encryption, it gets renamed adding a dash (-) and the extension to the file name then gets a .tmp extension before its final extension .axx.


There is also an option in the tool that will rename the file itself to what they call "Anonymous Rename" which will change the current file name to a 10 digit numeric name, keeping the .axx extension, a more practical option if you are trying to conceal any possible context of the contents.

When decrypting a file they are loaded into a temporary folder at:

C:\Users\<USERNAME>\AppData\Local\AxCrypt\<RANDOM_FOLDER>

The naming convention for the folder appears to be 8 character lowercase alphanumeric. It gets noted in the FileSystemState.txt file from above. This could be helpful to know if you come across a system that has AxCrypt running and has files open where you can locate the decrypted original files.

Preliminary testing:

  1.  A new file "NewTest.txt" was created with some content
  2. File dragged into AxCrypt portable, file name gets changed to "NewTest-txt.axx" and encrypted
  3. "NewTest-txt.axx" is opened and view, created a LNK file
  4. Anonymous Rename option selected and file added, "NewTest-txt.axx" gets renamed to "2028781783.axx" on the desktop.
  5. When opening "2028781783.axx", a LNK is created with the same name

When looking at both LNK's, the file sizes are the same as well as the Object-ID's, possibly deducing that these are/were the same file.

Another item to look for is execution after opening an .axx file. Since they are regular files such as a TXT or a PNG, it will natively open the file in something that can read it. For instance, after opening "2028781783.axx" it runs Notepad, helping narrow down what file type it originally is.

AxCrypt does a pretty good job in concealing originally names, if you choose the Anonymous Rename option and naturally it encrypts well with AES. I hope to look at what else I can dig up in a future post.