Can you tell if a drive is encrypted

[PCS]

I'm a tech with a small UK it firm. We have a customer that had decided to have all their laptop HDD encrypted, which others people in my firm did. A few days ago I was given one of their laptops to rebuild. I followed the normal steps I do to backup and the wiped and reloaded os. Came to restore data, could mount image but not see any files?

Checked image integrity , all OK, still can't see data. Restored image to a ext drive, could see partitions, no free space but no data.

Was about to throw in the towel an say image was bad and data gone and from now on I will mount every image before wiping PC as I've not had a bad image in a long time and will just have to spend 5 mins more on every job.

Then someone remembered about drive encryption and I had to restore the image to the laptop, start over again backing up data using Comodo backup - file and folder copying. Still going after 4 hours when I went home. So far I spent about 3 days on this and now got to start over, but a little wiser.

So the question is if I got a PC/laptop in either from a new customer or a customer that was tech savvy and encrypted their own drive is there a way to tell before I spend 3 hours making an image (that's how long it took the first image to complete) and then find out the image didn't work. I know I could ask but I don't always pick up the equipment and if the encryption was done by the previous IT co, the end user may not know.

 

[Larry Sabo]

Wouldn't disk management show an encrypted partition as RAW and an encrypted drive as uninitialized?

 

[YeOldeStonecat]

Depends on how the drive was encrypted...via hardware, or software, and type...full disk encryption, or just specific folders.

 

[Markverhyden]

I'm a tech with a small UK it firm. We have a customer that had decided to have all their laptop HDD encrypted, which others people in my firm did. A few days ago I was given one of their laptops to rebuild. I followed the normal steps I do to backup and the wiped and reloaded os. Came to restore data, could mount image but not see any files?

Checked image integrity , all OK, still can't see data. Restored image to a ext drive, could see partitions, no free space but no data.

Was about to throw in the towel an say image was bad and data gone and from now on I will mount every image before wiping PC as I've not had a bad image in a long time and will just have to spend 5 mins more on every job.

Then someone remembered about drive encryption and I had to restore the image to the laptop, start over again backing up data using Comodo backup - file and folder copying. Still going after 4 hours when I went home. So far I spent about 3 days on this and now got to start over, but a little wiser.

So the question is if I got a PC/laptop in either from a new customer or a customer that was tech savvy and encrypted their own drive is there a way to tell before I spend 3 hours making an image (that's how long it took the first image to complete) and then find out the image didn't work. I know I could ask but I don't always pick up the equipment and if the encryption was done by the previous IT co, the end user may not know.

Boot the machine from your favorite flavor of *nix. If you can browse the drive contents it's not encrypted. If you cannot then it is encrypted. This assumes, of course, the machine boots to a normal OS.

Also, every Full Disk Encryption product I have used has a power up password to access the drive. If it is not FDE but has file/folder encryption then there has to be some encryption app installed. So browse the Apps folder.

 

[300DDR]

We typically look at the sectors on the drive. Depending on type of encryption, it may be obvious to "see" encrypted sectors. Sometimes encryption starts after a first small partition, so it's best to check the first sector of the second partition and see if partition start contains normal looking characters or not. The more you are familiar with "normal" looking sectors, the easier it will be to identify encryption. *Also, some encryption, like SafeBoot, specifically mention themselves (usually in the first sector of the drive).

Here is an example of obvious encryption (first sector, Western Digital encryption; note lines 1C0-1E0):

Here is an example of unencrypted first sector but encryption on others (this happens when someone removes encrypted WD drive from enclosure and "initialized" drive on Mac):