Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP or Bitlocker encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker volumes.
EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
Version 1.1.0 details:
- Now EDD also checks mounted logical volumes and attempts to determine if they are encrypted TrueCrypt or PGP volumes. A 100% determination can not be made but an alert is provided to the user who can then further investigate.
- EDD is now included as part of Microsoft COFEE.
- EDD has been tested on Windows XP and Windows Vista. It should run fine on Windows 2000/2003 Server but will NOT run on Windows 9x and prior.
- Testing with 64 bit Windows will be done soon.
- Disk and memory requirements are very minimal (40KB and approx 3MB, respectively).