Listen to this Post

Introduction:
In live incident response and digital forensics, identifying encrypted volumes without mounting or cracking them is a critical first step. Elcomsoft Encrypted Disk Hunter is a free, portable command-line tool that scans a running Windows system for the presence of encrypted disk containers—including TrueCrypt, VeraCrypt, BitLocker, PGP WDE, FileVault2, BestCrypt, and LUKS1—using low-level disk access. This article provides a hands-on guide to deploying the tool, interpreting its output, and integrating it into a broader forensic workflow, complete with verified commands and hardening tips.
Learning Objectives:
- Deploy and execute Elcomsoft Encrypted Disk Hunter on a live Windows system with administrative privileges.
- Identify and differentiate between encrypted volume types (BitLocker, VeraCrypt, LUKS1, etc.) based on tool output.
- Apply complementary Linux and Windows commands to verify disk encryption status and mitigate anti-forensic evasion techniques.
You Should Know:
- Installing and Running Elcomsoft Encrypted Disk Hunter on Windows
This tool requires no installation—it is a single executable (edh.exe). However, it must be run from an elevated command prompt to access raw disk handles and physical memory.
Step‑by‑step guide:
- Download the tool from Elcomsoft’s official website (freeware section). Verify the hash if available.
- Extract the ZIP archive to a known location, e.g.,
C:\Forensics\EDH. - Open Command Prompt as Administrator (right‑click → Run as administrator).
4. Navigate to the tool’s folder:
cd /d C:\Forensics\EDH
5. Run the basic scan:
edh.exe --scan
– The tool will enumerate all physical drives (HDD, SSD, USB) and logical volumes.
– For each volume, it checks header signatures and entropy patterns.
6. Output includes lines like:
[bash] [Partition 2] BitLocker (detected) [bash] [Partition 1] TrueCrypt/VeraCrypt (possible)
7. For verbose mode (showing skipped sectors):
edh.exe --scan --verbose
What this does: It reads the first few sectors of each partition without mounting the filesystem, looking for known encryption headers (e.g., VeraCrypt’s bootloader, BitLocker’s FVE metadata). Administrative rights are mandatory because Windows restricts raw disk access to privileged processes.
2. Detecting BitLocker and TrueCrypt/VeraCrypt Volumes
BitLocker-encrypted drives are common in enterprise environments, while TrueCrypt/VeraCrypt containers appear on personal workstations. The tool distinguishes them by their unique signatures.
Step‑by‑step guide:
- Run EDH and filter results for specific types:
edh.exe --scan | findstr /i "bitlocker veracrypt truecrypt"
- To verify a suspected BitLocker volume manually with native Windows tools:
manage-bde -status C:
This shows encryption percentage, protection status, and key protectors.
- For TrueCrypt/VeraCrypt, use the `veracrypt` command (if installed) to test a container file without mounting:
veracrypt --text --test /path/to/container.tc
- Pro tip: Attackers sometimes rename `.tc` or `.hc` files. EDH scans raw partitions, so even renamed containers are detected if they reside on a mounted volume as a file. To force detection of file‑based containers, use:
edh.exe --scan --scan-files D:\
This walks directories and checks common container extensions.
What this does: The `–scan-files` flag extends detection from partitions to regular files, making it useful for locating hidden containers on USB drives or network shares.
3. Analyzing LUKS1 Encrypted Disks (Linux Verification)
Elcomsoft Encrypted Disk Hunter currently supports LUKS1 only, not LUKS2. When a LUKS-encrypted drive is connected to a Windows machine (e.g., via USB), the tool reports it as “LUKS1”. To cross‑validate, boot a Linux live USB and use native cryptsetup.
Step‑by‑step guide:
- After EDH identifies a drive (e.g.,
\\.\PhysicalDrive2), note its offset. - Boot into a Linux environment (Ubuntu live CD) and identify the same disk:
sudo fdisk -l
3. Check for LUKS header:
sudo cryptsetup isLuks /dev/sdb1
– Returns exit code 0 if LUKS1 or LUKS2.
4. Dump LUKS header version:
sudo cryptsetup luksDump /dev/sdb1 | grep Version
5. If EDH missed a LUKS2 volume, you can attempt manual hexdump:
sudo xxd -l 512 /dev/sdb1 | grep "LUKS"
– LUKS2 signature is LUKS\xba\xbe; LUKS1 is `LUKS\xba\xbe` as well but with different offsets.
What this does: These commands verify EDH’s detection accuracy and help differentiate LUKS1 from LUKS2. In a forensic investigation, false negatives on LUKS2 are a known limitation—always supplement with Linux tools.
4. Handling FileVault2 and PGP WDE on Windows
FileVault2 (macOS) and PGP Whole Disk Encryption are rarely seen on Windows‑native computers, but they appear when a macOS drive is attached externally or a PGP‑encrypted Windows disk is present. EDH covers these cases.
Step‑by‑step guide:
- To scan specifically for FileVault2:
edh.exe --scan --type filevault2
- PGP WDE detection is automatic. If found, the tool outputs the volume’s GUID.
- To manually inspect a suspicious drive for Apple Core Storage (the underlying FileVault2 structure) using Windows PowerShell (requires administrative rights):
Get-Disk | Where-Object OperationalStatus -eq 'Foreign' | Get-Partition | Get-Volume
- Foreign disks often contain non‑Windows filesystems (HFS+ or APFS).
- For deeper analysis, boot from Elcomsoft System Recovery (mentioned in the original post) – a bootable USB that bypasses the host OS to scan memory and disks.
What this does: The recovery environment runs a minimal Windows PE or Linux, ensuring that even kernel‑mode rootkits cannot hide encrypted volumes. This is essential when the live OS is compromised.
5. Advanced Usage: Scripting Automated Disk Hunting
For enterprise incident response, you can script EDH to run across multiple machines via remote PowerShell or a startup script.
Step‑by‑step guide:
1. Create a batch script `disk_hunt.cmd`:
@echo off set LOGFILE=%COMPUTERNAME%_encrypt_scan.log edh.exe --scan --quiet > %LOGFILE% if %errorlevel% neq 0 ( echo ERROR: EDH failed on %COMPUTERNAME% >> %LOGFILE% )
2. Deploy using PsExec (Sysinternals):
psexec \remotePC -s -d cmd /c "C:\EDH\disk_hunt.cmd"
3. Collect logs centrally (e.g., to a network share):
copy %LOGFILE% \forensics-server\EDH_Logs\
4. To automate detection of “suspicious” patterns (e.g., large files with high entropy), combine EDH with `findstr` and Windows Task Scheduler.
What this does: This turns a manual forensic tool into a continuous monitoring solution. It can alert defenders to new encrypted volumes appearing on workstations (e.g., a USB drive with VeraCrypt used to exfiltrate data).
6. Mitigation and Counter‑Forensics: How Attackers Evade Detection
Understanding EDH’s limitations helps both blue and red teams. The tool relies on header signatures; if an encrypted volume is hidden inside a steganographic container or uses custom headers, EDH will miss it.
Step‑by‑step guide for evasion (educational use only):
- On Linux, create a LUKS2 container (undetected by current EDH):
dd if=/dev/zero of=hidden.img bs=1M count=100 sudo cryptsetup luksFormat --type luks2 hidden.img
- Embed the LUKS2 container inside a legitimate file (e.g., a JPEG):
cat hidden.img >> innocent.jpg
- On Windows, an attacker could use “hidden volumes” within VeraCrypt (deniability feature). EDH detects the outer header but cannot prove the existence of a hidden inner volume.
- To defend against such evasion:
- Use memory forensics (e.g., Volatility) to detect mounted encryption tools.
- Monitor for
cryptsetup,veracrypt.exe, or `bitlocker` process execution via Sysmon Event ID 1.
What this does: These commands illustrate that no single tool provides complete coverage. A robust incident response program combines disk scanning with memory analysis and EDR logs.
7. Cloud and Virtual Environment Considerations
When analyzing VMs (VMware, Hyper‑V), encrypted virtual disks behave differently. EDH sees them as standard physical drives if the hypervisor passes raw disk access.
Step‑by‑step guide:
- In a Windows VM with a virtual TPM, BitLocker can be enabled. Run EDH inside the guest OS:
edh.exe --scan
- To scan the host’s physical disks from a VM (for forensic labs), configure the VM to pass through a physical disk:
- VMware: Add a “Physical Hard Disk” with “Use entire disk”.
- Hyper‑V: Use “Pass‑through disk”.
- For cloud instances (AWS, Azure), encrypted EBS volumes or managed disks appear as unencrypted to the guest OS. EDH will not detect them because the encryption happens at the hypervisor level. Use cloud provider APIs instead:
AWS CLI aws ec2 describe-volumes --query "Volumes[?Encrypted==<code>true</code>]"
What this does: This clarifies the scope of disk‑level detection. In IaaS environments, the guest OS never sees the encrypted raw disk—only the decrypted block device. Therefore, forensic analysts must rely on cloud audit logs, not local tools.
What Undercode Say:
- Key Takeaway 1: Elcomsoft Encrypted Disk Hunter is a lightweight, free utility that fills a niche—quickly discovering encrypted volumes during live Windows triage. Its strength lies in detecting multiple encryption types without mounting or cracking.
- Key Takeaway 2: The tool’s current limitation (no LUKS2 support) and dependence on administrative rights mean it must be paired with other methods: Linux `cryptsetup` for verification, memory forensics for hidden containers, and cloud APIs for infrastructure‑as‑a‑service encryption.
- Analysis: In modern breaches, attackers increasingly use full‑disk encryption to evade content‑based detection. Tools like EDH empower defenders to at least identify the presence of such volumes, enabling targeted requests for decryption keys or legal orders. However, the rise of deniable encryption (e.g., VeraCrypt hidden volumes) and LUKS2 adoption will require continuous updates. For blue teams, integrate EDH into a “first response” USB toolkit alongside Sysinternals and volatility. For red teams, understand that EDH is a canary—if you leave default encryption headers, you will be found.
Prediction:
As encryption becomes ubiquitous (Windows 11 default BitLocker, macOS FileVault always‑on), the ability to detect rather than break encryption will become a standard compliance checkbox for incident responders. Within two years, we expect Microsoft to natively expose disk encryption status via Defender for Endpoint, making third‑party hunters like EDH less critical for BitLocker but still essential for cross‑platform (LUKS, VeraCrypt) and offline scenarios. Simultaneously, anti‑forensic tools will shift to using LUKS2 and custom headerless encryption, forcing forensic tools to adopt entropy‑based heuristics instead of signature matching. The cat‑and‑mouse game will intensify, but for now, EDH remains a valuable free asset in every analyst’s bag.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Syed Muneeb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


