CryptHunter detects mounted encrypted volumes and active full-disk encryption on running computer systems. The tool responders and investigators to the need to execute a forensic collection of data from encrypted volumes before powering down systems and potentially losing access to evidence. The latest version of CryptHunter has been tested against 21 of the most common volume-based encryption applications and 8 full-disk encryption packages.
With the rising prevalence of encryption on computers, CryptHunter is designed to avert the unintentional loss of evidentiary data by alerting search team personnel to the presence of accessible encrypted containers for that data. As a quick screening tool, CryptHunter will warn when the traditional practice of pulling the plug on running computers will lead to losing access to encrypted data. This screening approach enables the allocation of technical resources to encrypted systems that merit special treatment and a different forensic collection process.