Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss. If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine. Establishing an acquisition process is important, and a critical part of your process should be checking for the presence of full disk and volume-based encryption. Disk encryption is more prevalent than many believe –I am anecdotally seeing it in use on nearly thirty percent of the computers I encounter. If a system is running, the examiner often has a one-time shot to capture any mounted volumes in their decrypted state.
The inherent challenge is how to determine if an encrypted disk or volume exists. From the perspective of the operating system, data on a mounted volume is available in unencrypted form. A separate abstraction layer takes care of encrypting write operations and decrypting data for read operations. Thus when encountering a live system, investigators are often left with ad-hoc tests to try and make a determination. They can look for telltale installed software, or particular icons present on the system, but there are few reliable ways to get a confident answer whether encryption does or does not exist.