Elcomsoft Encrypted Disk Hunter discovers encrypted disk volumes on live systems

Elcomsoft expands its range of forensic products with a new portable tool. Elcomsoft Encrypted Disk Hunter is a free command-line tool to help experts quickly discover the presence of encrypted volumes when performing live system analysis. TrueCrypt/VeraCrypt, BitLocker, PGP WDE, FileVault2, and LUKS are supported.

Elcomsoft Encrypted Disk Hunter is designed to help examiners and law enforcement specialists working in the field by quickly revealing if one or more encrypted volumes are present in the system. The free, portable command-line tool supports all major full-disk encryption tools including TrueCrypt/VeraCrypt, all versions of Microsoft BitLocker, PGP WDE, FileVault2, as well as LUKS, thus supporting Windows, macOS and Linux full-disk encryption tools.

If an encrypted volume is detected or if the tool discovers a driver loaded for a full-disk encryption tool, a further investigation of a live system might be needed in order to preserve evidence that could be lost if the computer was powered off.

Elcomsoft Encrypted Disk Hunter checks the system’s attached storage devices for TrueCrypt/VeraCrypt, BitLocker, PGP WDE, FileVault2, and LUKS volumes. If one or more encrypted volume is detected, the tool lists the encrypted disks. In addition, the tool checks if any of the encrypted volumes are currently mounted.

If no obvious signs of disk encryption are found, Encrypted Disk Hunter checks the driver chain for TrueCrypt, VeraCrypt and PGP WDE drivers. If a full-disk encryption driver is recognized, the tool will report that an encrypted volume might have been used in the system, even if not currently mounted or attached.

The new tool is distributed free of charge. Encrypted Disk Hunter is available as a portable command-line tool. The tool must be launched with administrative privileges, and runs on 32-bit and 64-bit versions of Windows 7 through Windows 10, including Server editions.

See also