How to detect encryption disk.

Detecting disk encryption is one of the most critical steps in Digital Forensics. If an investigator shuts down a machine  without realizing the disk is encrypted, they risk losing access to the data permanently if the recovery key is unknown.

Based on industry-standard forensic guidelines and the provided evidence, here is the step-by-step process for detecting encryption.

Step 1: Visual Inspection (Live System)

The first step is to check for obvious UI indicators while the system is still running.

• File Explorer: Look for a lock icon on the drive letters in "This PC."

  • Gold Lock: The drive is encrypted and currently locked (requires a key).

  • Silver/Open Lock: The drive is encrypted but currently unlocked (accessible).

• System Tray: Look for icons related to encryption software like VeraCrypt, PGP, or Check Point.

Under BitLocker Drive Encryption - Hard Disk Drives, if you see the following text: Windows (H:) On, then your hard drive is encrypted.

Step 2: Native Command Line Verification

Using built-in OS tools is a "low-footprint" way to confirm encryption status without installing new software.

For Windows (BitLocker)

1. Open Command Prompt or PowerShell as an Administrator.

2. Run the command: manage-bde -status

3. Analysis:

   • Conversion Status: Look for "Fully Encrypted" vs. "Fully Decrypted."

   • Percentage Encrypted: Shows if an encryption process is currently in progress.

   • Encryption Method: Identifies the algorithm (e.g., AES 128 or XTS-AES 256).

   • Lock Status: Confirms if the volume is Locked or Unlocked.

Photo by magnetforensics[.]com

Magnet Encrypted Disk Detector (v3.10 released June 19th, 2022) is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled .

Step 3: Forensic Scanning Tools (Magnet EDD)

Standard OS commands may miss third-party encryption (like TrueCrypt or VeraCrypt). Forensic investigators use specialized, non-intrusive tools like Magnet Encrypted Disk Detector (EDD).

1. Execution: Run EDDv310.exe from a forensic USB drive to avoid altering the host's registry.

2. Physical Drive Scan: The tool scans physical disk signatures (MBR/GPT) for encryption headers.

3. Logical Volume Scan: It checks every mounted volume for BitLocker, TrueCrypt, PGP, or VeraCrypt.

4. Results: If the tool detects encryption, it will red highlight the specific drive and the type of encryption found in red highlight, as seen in your provided screenshots.

Critical Forensic Guidelines (Post-Detection)

If encryption is detected, DO NOT SHUT DOWN THE COMPUTER until you have performed the following:

1. RAM Capture: Use a tool (like FTK Imager) to capture the volatile memory. Encryption keys are often stored in plain text within the RAM while the drive is mounted.

2. Search for Recovery Keys: Look for BitLocker Recovery Key.txt files on the desktop, in the user's Microsoft Account, or printed physical documents.

3. Live Imaging: If the disk is "Unlocked," perform a "Live Image" of the logical volume. This captures the data in its unencrypted state.

4. Hash Validation: Always calculate the Hash Value (MD5/SHA-256) of your captured image to ensure its integrity for use in court.

Ref:  magnetforensics[.]com

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud