How to detect encryption disk.
Detecting disk encryption is one of the most critical steps in Digital Forensics. If an investigator shuts down a machine without realizing the disk is encrypted, they risk losing access to the data permanently if the recovery key is unknown.
Based on industry-standard forensic guidelines and the provided evidence, here is the step-by-step process for detecting encryption.
Step 1: Visual Inspection (Live System)
The first step is to check for obvious UI indicators while the system is still running.
File Explorer: Look for a lock icon on the drive letters in "This PC."
System Tray: Look for icons related to encryption software like VeraCrypt, PGP, or Check Point.
Under BitLocker Drive Encryption - Hard Disk Drives, if you see the following text: Windows (H:) On, then your hard drive is encrypted.
Step 2: Native Command Line Verification
Using built-in OS tools is a "low-footprint" way to confirm encryption status without installing new software.
For Windows (BitLocker)
Open Command Prompt or PowerShell as an Administrator.
Run the command: manage-bde -status
Analysis:
Conversion Status: Look for "Fully Encrypted" vs. "Fully Decrypted."
Percentage Encrypted: Shows if an encryption process is currently in progress.
Encryption Method: Identifies the algorithm (e.g., AES 128 or XTS-AES 256).
Lock Status: Confirms if the volume is Locked or Unlocked.
Photo by magnetforensics[.]com
Magnet Encrypted Disk Detector (v3.10 released June 19th, 2022) is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled .
Step 3: Forensic Scanning Tools (Magnet EDD)
Standard OS commands may miss third-party encryption (like TrueCrypt or VeraCrypt). Forensic investigators use specialized, non-intrusive tools like Magnet Encrypted Disk Detector (EDD).
Execution: Run EDDv310.exe from a forensic USB drive to avoid altering the host's registry.
Physical Drive Scan: The tool scans physical disk signatures (MBR/GPT) for encryption headers.
Logical Volume Scan: It checks every mounted volume for BitLocker, TrueCrypt, PGP, or VeraCrypt.
Results: If the tool detects encryption, it will red highlight the specific drive and the type of encryption found in red highlight, as seen in your provided screenshots.
Critical Forensic Guidelines (Post-Detection)
If encryption is detected, DO NOT SHUT DOWN THE COMPUTER until you have performed the following:
RAM Capture: Use a tool (like FTK Imager) to capture the volatile memory. Encryption keys are often stored in plain text within the RAM while the drive is mounted.
Search for Recovery Keys: Look for BitLocker Recovery Key.txt files on the desktop, in the user's Microsoft Account, or printed physical documents.
Live Imaging: If the disk is "Unlocked," perform a "Live Image" of the logical volume. This captures the data in its unencrypted state.
Hash Validation: Always calculate the Hash Value (MD5/SHA-256) of your captured image to ensure its integrity for use in court.
Ref: magnetforensics[.]com
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
