I wonder if there is a way to check WHEN system drive was encrypted. Someone told me, that you can check date of when bootloader was created therefore date when drive was encrypted. My question is (if its true) HOW i can check that date? What software should i use? Please, help.
Last edit: Oscar Sikorsky 2019-05-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Run a command window with admin privilges. Start->Accessories->System Tools->Command Prompt. Right click on Command Prompt and select "Run as Administrator"
Mount the EFI partition: mountvol s: /s
Look at the directory of the EFI directory: dir s:\EFI
The date of the VeraCrypt directory should be the date VeraCrypt was used to encrypt the system drive.
When you're done mountvol s: /d
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The technique I outlined IS for a drive that is already encrypted, as long as it has been encrypted with system encryption and as long as the computer is a UEFI computer. I expect that what you mean by not having access is that you don't have the password. Not being able to boot into the computer in question makes it a little more difficult, but the essentials are the same. I will outline the theory. The exact details you will have to work out.
UEFI computers have a small, unencrypted, FAT32 partition on their hard drives where the operating system boot loaders are stored. When VeraCrypt is installed as system encryption on this kind of computer, it places its boot loader in that partition. What you need to do is mount that hard drive's UEFI partition, look at the VeraCrypt folder and check its creation timestamp.
There are several ways you can do this. You can boot the original computer in question from a live Linux DVD and do this from within Linux on that computer. Or, you can remove the hard drive from that computer and attach it as a second drive to another computer and do it from the second computer. There are many ways to connect the drive - assuming it's a standard SATA drive, then the easiest thing to do is get a SATA to USB adapter. I personally use a KingWin EZClone, since it can also clone drives, but there are likely newer and better ones out there now.
This isn't conclusive evidence of when the drive was first encrypted, since it's possible it was encrypted, decrypted, then reencrypted later. Also, it's possible (though rather unlikely) that if someone was trying to obscure when the drive was encrypted that they changed the computer's clock before they installed VeraCrypt. This isn't likely - I can't think of why anyone would bother. If you suspect this is the case, then you can compare the version of the boot file with the different VeraCrypt versions. This at least will give you a not-before data, as, of course, you won't find the bootloader from VeraCrypt version 1.23 on the drive before version 1.23 was released.
I must admit, I find myself very curious as to why you need this information.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried to check that on bootable W10PE (Sergei), and in every HDD app i can find there there was no small partition you talk about. There was only one big partition and when you try to access it, its showing message about need to format it first to be able to use (becouse of encryption). I should add that system was installed in MBR partition.
Last edit: Oscar Sikorsky 2019-05-31
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For an MBR system there is no date. There are only two ways to get any kind of clues about when the hard drive was encrypted. Both are very involved and neither will give you an exact date.
Compare the VeraCrypt boot load sectors with every other VeraCrypt version's boot load sectors to try and determine which version of VeraCrypt was used when the drive was encrypted. This will then narrow down when VeraCrypt was likely installed, though it's not definitive. It also depends on the MBR version of the VeraCrypt boot loader changing between versions, and it didn't for each release. You will have to build your own library of which VeraCrypt boot loaders were used for each VeraCrypt release, extract the boot loader from the hard drive in question, and then compare. It's a lot of work and won't likely get you very far.
This one is even harder and will require an intimate knowledge of the low level format in the brand of hard drive you have. Most hard drives as part of their low level format a write serial number. Each time a physical sector is written to the drive, this counter is incremented and stored in that physical sector. You can then create a map of the order in which each sector was written to the hard drive, no matter how randomly it occured. It's often used by professional hard disk data recovery experts to piece together data from badly corrupted drives where the filesystem cluster maps are gone. You can't see the filesystem clusters, but you can piece together the order every sector was written to. You can use this to get a picture of when the boot sector was last physically written on the hard drive, compared to every other sector. This technique is difficult because it requires very specialized equipment and/or software, it is very proprietary, and hard to get your hands on. You can try and hire a forensic hard drive analyst to do this, but the kind of people who can do this don't come cheap. These are the sort of people who rescue priceless data from hard drives that, say, have been in fires.
I'm still very curious as to why you need this information.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello.
I wonder if there is a way to check WHEN system drive was encrypted. Someone told me, that you can check date of when bootloader was created therefore date when drive was encrypted. My question is (if its true) HOW i can check that date? What software should i use? Please, help.
Last edit: Oscar Sikorsky 2019-05-11
mountvol s: /sdir s:\EFImountvol s: /dI mean drive which is ALREADY encrypted and i dont have access to it. Is there any way to access DATE of encryption without actually geting in?
The technique I outlined IS for a drive that is already encrypted, as long as it has been encrypted with system encryption and as long as the computer is a UEFI computer. I expect that what you mean by not having access is that you don't have the password. Not being able to boot into the computer in question makes it a little more difficult, but the essentials are the same. I will outline the theory. The exact details you will have to work out.
UEFI computers have a small, unencrypted, FAT32 partition on their hard drives where the operating system boot loaders are stored. When VeraCrypt is installed as system encryption on this kind of computer, it places its boot loader in that partition. What you need to do is mount that hard drive's UEFI partition, look at the VeraCrypt folder and check its creation timestamp.
There are several ways you can do this. You can boot the original computer in question from a live Linux DVD and do this from within Linux on that computer. Or, you can remove the hard drive from that computer and attach it as a second drive to another computer and do it from the second computer. There are many ways to connect the drive - assuming it's a standard SATA drive, then the easiest thing to do is get a SATA to USB adapter. I personally use a KingWin EZClone, since it can also clone drives, but there are likely newer and better ones out there now.
This isn't conclusive evidence of when the drive was first encrypted, since it's possible it was encrypted, decrypted, then reencrypted later. Also, it's possible (though rather unlikely) that if someone was trying to obscure when the drive was encrypted that they changed the computer's clock before they installed VeraCrypt. This isn't likely - I can't think of why anyone would bother. If you suspect this is the case, then you can compare the version of the boot file with the different VeraCrypt versions. This at least will give you a not-before data, as, of course, you won't find the bootloader from VeraCrypt version 1.23 on the drive before version 1.23 was released.
I must admit, I find myself very curious as to why you need this information.
I tried to check that on bootable W10PE (Sergei), and in every HDD app i can find there there was no small partition you talk about. There was only one big partition and when you try to access it, its showing message about need to format it first to be able to use (becouse of encryption). I should add that system was installed in MBR partition.
Last edit: Oscar Sikorsky 2019-05-31
For an MBR system there is no date. There are only two ways to get any kind of clues about when the hard drive was encrypted. Both are very involved and neither will give you an exact date.
I'm still very curious as to why you need this information.