Magnet EDD (Encrypted Disk Detector)

Magnet Encrypted Disk Detector (EDD) is a free, specialized tool from the forensic software company Magnet Forensics. Its sole purpose is to quickly scan a system for the presence of encrypted volumes created by common full-disk or volume encryption software.

• Detection Scope: It is designed to detect various encryption types, including:

  • BitLocker (Microsoft's native Windows encryption)

  • TrueCrypt (legacy, but volumes still exist)

  • VeraCrypt (popular open-source successor to TrueCrypt)

  • Potentially others depending on the version and underlying detection methods.

• Supported File Systems: Capable of scanning drives formatted with NTFS, exFAT, and FAT32.

• Operation: It's a simple, standalone executable, often run from an administrative command prompt. Using a /batch switch can automate the scan and output results without user interaction.

• Purpose in ScreenSharing: Its primary function during a screenshare is to identify if the user has encrypted drives, partitions, or virtual disk containers present on their system. Encrypted volumes are, by design, inaccessible without the correct password, key file, or recovery key. Therefore, they represent potential hiding places where cheats, tools, sensitive data, or any other incriminating files could be stored, completely shielded from inspection during a standard screenshare unless the user voluntarily decrypts the volume.

• Interpreting Results: Magnet EDD doesn't detect cheats directly. Instead, it flags potential areas of concealment. Discovering an active, mounted encrypted volume (especially one the user doesn't readily disclose or decrypt upon request) during a screenshare raises significant suspicion, as it represents a location inaccessible to the ScreenSharer where evidence could be hidden. Server policies often address how to handle the discovery of encrypted volumes during checks.