Encrypted Disk Detector: What does it do?
Encrypted Disk Detector (v2 released 04/22/2013) is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response.
The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
Encrypted Disk Detector checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker® volumes.
Supported Encrypted Volumes
- Currently, Encrypted Disk Detector detects TrueCrypt, PGP®, Safeboot, and Bitlocker® encrypted volumes, and we’re adding to this list with each new release.