Notifications
Clear all

WinHex and DDPE

3 Posts
2 Users
1 Likes
1,205 Views
(@krose4657)
Posts: 3
New Member
Topic starter
 

Good morning,

I am currently working a forensics case for a client involving a laptop that uses DDPE (Dell Data Protection Encryption). I created the forensic analysis image and loaded it into WinHex, however, WinHex is displaying the main partition as encrypted with BitLocker. Is it possible that WinHex is confusing DDPE with BL? My client assures me that DDPE is their solution, not BL.

 
Posted : 02/05/2022 2:29 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Hi,

There are very few trusted FDE implementations, and OEM integration of one of the standalone products would add arround $100 per device. Therefore, anything that is branded by a hardware manufacturer is most likely just an authentication or management extension to either MS Bitlocker or hardware encryption of the integrated storage device.

If you look at the partition and it starts with EB58902D4656452D46532D - probably what is also matched by WinHex - I don't see a reason not to process it as Bitlocker.

 
Posted : 03/05/2022 4:55 pm
krose4657 reacted
(@krose4657)
Posts: 3
New Member
Topic starter
 

Thank you for this information. After reviewing the volume header, I found it has the BitLocker volume hex signature you have provided. I was able to move forward processing as BitLocker.

 
Posted : 04/05/2022 4:30 pm
Share: