Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for Bitlocker® volumes.
How investigators use EDD
EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
Supported Encrypted Volumes
Currently, EDD detects TrueCrypt, PGP®, Safeboot, and Bitlocker® encrypted volumes, and we’re adding to this list with each new release. EDD is available for download now — completely free of charge.