Notifications
Clear all

WinHex and DDPE

krose4657
(@krose4657)
New Member

Good morning,

I am currently working a forensics case for a client involving a laptop that uses DDPE (Dell Data Protection Encryption). I created the forensic analysis image and loaded it into WinHex, however, WinHex is displaying the main partition as encrypted with BitLocker. Is it possible that WinHex is confusing DDPE with BL? My client assures me that DDPE is their solution, not BL.

Quote
Topic starter Posted : 02/05/2022 3:29 pm
C.R.S.
(@c-r-s)
Active Member

Hi,

There are very few trusted FDE implementations, and OEM integration of one of the standalone products would add arround $100 per device. Therefore, anything that is branded by a hardware manufacturer is most likely just an authentication or management extension to either MS Bitlocker or hardware encryption of the integrated storage device.

If you look at the partition and it starts with EB58902D4656452D46532D - probably what is also matched by WinHex - I don't see a reason not to process it as Bitlocker.

ReplyQuote
Posted : 03/05/2022 5:55 pm
krose4657 liked
krose4657
(@krose4657)
New Member

Thank you for this information. After reviewing the volume header, I found it has the BitLocker volume hex signature you have provided. I was able to move forward processing as BitLocker.

ReplyQuote
Topic starter Posted : 04/05/2022 5:30 pm
Share:
Share to...