Is the change journal enabled by default in NTFS ? will it also keep record if the entire hard drisk was overwritten?
That's not the right question.
The USN change journal is enabled by default on Windows 7, for example, but not on XP, even when both of them use the NTFS file system.
I didn't see this answer yet, so here's a possibility
0x57 = 01010111
It may have been the final pattern of a series of bit patterns used for wiping data securely
i.e.
00010101
01011000
11101010
01010111
Although it would make sense to simply have alternating patterns (01010101, 10101010), at least two of the wipe tools I've used in the (distant) past also accounted for media drift using longer series of 1111 patterns as well as ending by picking a random non-00, non-FF number to satisfy an older (probably obsoleted) specification stating that the data wasn't officially wiped until overwritten with non-sensitive data.
If the wiping was intentional, then they might have used a tool that was serious about it.
Did you check slack space? If those are also cleared out, there is essentially no doubt at all they used a professional wiping tool.
Eric
I didn't see this answer yet, so here's a possibility
There can be many possibilities (even an adequate number of monkeys pressing the "W" key wink may be one), but if the drive has been encrypted with bitlocker (as the OP stated) and the bitlocker encrypting process does write "W"s on unallocated space (as found out by HexDrugsRockNRoll and as confirmed by the given MS technet blog) I still find it a much more probable possibility.
jaclaz