EDD


→ Encrypted Disk Detector v1.1.0


Version 1.1.0 new features/release details:

  • Now EDD also checks mounted logical volumes and attempts to determine if they are encrypted TrueCrypt or PGP volumes. A 100% determination can not be made but an alert is provided to the user who can then further investigate.
  • EDD is now included as part of Microsoft COFEE!

What it does

Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker® volumes.

What it does not do

EDD does not attempt to locate encrypted volumes that are not mounted; its purpose is to alert the user of currently accessible drives/volumes that may be encrypted and therefore may be inaccessible if the system was shut down.

Put in other words, EDD does not scan drives for files that might be encrypted containers. If this is what you’re looking for, there are other software packages available elsewhere that attempt to do this.

Why use it?

EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.

Limitations

  • Currently only TrueCrypt, PGP®, and Bitlocker® encrypted volumes are detected by EDD. Detection of more encryption products will be added to later versions.
  • Not so much a limitation of EDD but worth mentioning: when run in Windows Vista, depending on how the OS is configured, you may need to use the “Run as Administrator” option to successfully run EDD.

Requirements

  • EDD has been tested on Windows XP and Windows Vista. It should run fine on Windows 2000/2003 Server but will NOT run on Windows 9x and prior.
  • Testing with 64 bit Windows will be done soon.
  • Disk and memory requirements are very minimal (40KB and approx 3MB, respectively).

Screenshots

In the above screenshot, EDD was run on a system with no encrypted volumes. The system has two physical drives in it, each containing one NTFS partition.

In the above screenshot, EDD was run on a system that has two physical drives in it. The first does not contain any encrypted volumes, however the second drive was detected as possibly having an encrypted partition. In this particular case, the second drive contains a TrueCrypt volume (and is a non-system/OS drive) which does not leave a signature in the MBR but encrypts the entire partition, including the boot sector, which is why the OEM ID is garbled.

In the above screenshot, EDD was run on a system that has two physical drives in it. The first drive is the system/OS drive and is detected as being a TrueCrypt encrypted volume (utilizing TrueCrypt’s Whole Disk Encryption). The second drive was again detected as possibly having an encrypted partition and, also in this case, the second drive (a non-system/OS drive) contains a TrueCrypt volume which does not leave a signature in the MBR but encrypts the entire partition, including the boot sector, which is why the OEM ID is garbled.

In the above screenshot, EDD was run on a system that has two physical drives in it, both of which contain a PGP® Whole Disk Encryption volume. PGP® always leaves a signature in the MBR when Whole Disk Encryption is utilized on one or more partitions on a drive (system/OS drive or not) making things easier for us to detect its presence.

In the above screenshot, EDD was run on a system that has one physical drive in it. The first partition on the drive is detected as being a Bitlocker® encrypted volume. No encryption is detected on the second partition, which happens to be the boot partition created for use with Bitlocker® (commonly the “S:” drive).

In the above screenshot, EDD was run on a system that has one physical drive in it with two partitions. EDD indicates that the ‘C:’ drive is the 2nd partition on the drive (partition 1 does not have an assigned drive letter), and that the ‘D:’ drive is a CD-ROM/DVD drive. Lastly, EDD advises that the ‘G:’ drive appears to be a virtual drive and may be a mounted encrypted volume. In this case, drive ‘G:’ is a TrueCrypt encrypted container.

Upcoming features

  • · Support for detecting additional encryption products

Licensing

EDD is currently free to use, or “Freeware”. It is not public domain, open source or free software and the author retains his copyright.
JADsoftware reserves the right to change these terms and/or make future versions non-freeware.

Download

Go to the Downloads page

Version History

May 2, 2009 – Initial release of Version 1.0.0.