Encrypted Disk Detector is a command-line tool that can quickly, and non-intrusively, check for encrypted volumes on a computer system during incident response.
The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.
It checks the local physical drives on a system for TrueCrypt, PGP or BitLocker encrypted volumes. If no disk encryption isgnatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the Volume Label for partitions on that drive, checking for BitLocker volumes.
Currently, Encrypted Disk Detector detects TrueCrypt, PGP®, Safeboot, and Bitlocker® encrypted volumes, and we’re adding to this list with each new release.