Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
25 views9 pages

Detection of VHD Encryption Project Report-Mohit Kumar

The document presents a project report on detecting encryption in virtual hard disks (VHD/VHDX) and recovering data using open-source tools, conducted by Mohit Kumar during an internship at CDAC Noida. It outlines the problem of encrypted VHDs in forensic investigations, the learning objectives, and the approach taken using tools like Autopsy and FTK Imager. The findings indicate that while encrypted VHDs can be identified and some data can be recovered, full recovery is contingent on having the encryption keys.

Uploaded by

Mohit Kumar.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views9 pages

Detection of VHD Encryption Project Report-Mohit Kumar

The document presents a project report on detecting encryption in virtual hard disks (VHD/VHDX) and recovering data using open-source tools, conducted by Mohit Kumar during an internship at CDAC Noida. It outlines the problem of encrypted VHDs in forensic investigations, the learning objectives, and the approach taken using tools like Autopsy and FTK Imager. The findings indicate that while encrypted VHDs can be identified and some data can be recovered, full recovery is contingent on having the encryption keys.

Uploaded by

Mohit Kumar.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Detection of Virtual Hard Disk encryption

and recovery of the data using


open source tools.

Domain:- Cybersecurity.

CDAC, Noida
CYBER GYAN VIRTUAL
INTERNSHIP PROGRAM

Submitted By:
MOHIT KUMAR
Project Trainee, (May-June) 2025
BONAFIDE CERTIFICATE
This is to certify that this project report entitled "Detection of Virtual
Hard Disk Encryption and Recovery of the Data Using Open Source
Tools" submitted to CDAC Noida, is a Bonafide record of work done by
Mohit Kumar, under my supervision from 1st May 2025 to 14th June
2025.

DECLARATION BY AUTHOR
This is to declare that this report has been written by me. No part of the
report is plagiarized from other sources. All information included from
other sources has been duly acknowledged. I aver that if any part of the
report is found to be plagiarized, I shall take full responsibility for it.

Name of Author: Mohit Kumar

TABLE OF CONTENTS
1. Introduction
2. Problem Statement
3. Learning Objective
4. Approach
5. Implementation
6. Conclusion & Recommendations
7. List of References

ACKNOWLEDGEMENT
I would like to express my sincere gratitude to CDAC Noida and the
organizers of the Cyber Gyan Virtual Internship (May - June 2025) for
providing me with this opportunity to learn and work on this project. I
would also like to thank my mentor for continuous support and
guidance throughout the internship.
PROJECT TITLE
Detection of Virtual Hard Disk Encryption and Recovery of the Data
Using Open Source Tools

PROBLEM STATEMENT
Encrypted virtual hard disks (VHD/VHDX) pose challenges during
forensic investigations, especially when encryption methods are
unknown or undocumented. The task is to detect the encryption type
used on a VHD, identify whether it is accessible, and if possible, recover
the data using open-source tools.

LEARNING OBJECTIVE
- Understand VHD/VHDX file structures.
- Detect encryption types in disk images.
- Apply open-source tools like Autopsy, FTK Imager, and TestDisk.
- Recover data from encrypted or partially corrupted virtual drives.

APPROACH
Tools & Technologies Used:

- Operating Systems: Kali Linux / Windows 11


- Tools: Autopsy, FTK Imager, TestDisk, HxD (Hex Editor),
BitLocker/Dislocker, VeraCrypt
- Languages Used: Basic Bash & Python scripting
- Virtualization: VirtualBox / Hyper-V

System Infrastructure Diagram:

Host Machine (Windows 11)


|
|---> VirtualBox Guest VM (Kali Linux)
|
|---> Encrypted VHD mounted with VeraCrypt
|
|---> Forensic tools for inspection & recovery

IMPLEMENTATION

Step 1: Creating and Encrypting a Virtual Hard Disk

- Used Windows Disk Management to create a VHD.


- Formatted it with NTFS and encrypted it using BitLocker.
- Inserted dummy data to simulate a user environment.
Step 2: Mounting VHD on Kali Linux

Used dislocker command:

sudo dislocker -V /dev/sdX -u -- /mnt/bitlocker


Step 3: Identifying Encryption Metadata

- Opened VHD in Hex Editor (HxD) to examine headers.


- Verified BitLocker metadata (EB 52 90, NTFS, and GUID signatures).
Step 4: Data Recovery Using Open Source Tools

- Autopsy: Detected partition structure and recovered deleted files.


- FTK Imager: Showed file previews and disk structure.
- TestDisk: Rebuilt partition table and restored file system access.
Indicators of Compromise (IoCs):
- NTFS partition with encrypted MFT.
- BitLocker identifiers in metadata.
- Missing standard boot sectors.

CONCLUSION & RECOMMENDATIONS


Findings:
- Encrypted VHDs can be identified using header signatures.
- BitLocker-encrypted volumes can be mounted with Dislocker if the
password is known.
- File carving and partition recovery are possible using Autopsy and
TestDisk.
- Full data recovery may not be guaranteed without encryption keys.

Recommendations:
- Always inspect header bytes with hex editors during forensic analysis.
- Prefer open-source tools like Dislocker, FTK Imager, and Autopsy for
transparent workflows.
- Maintain system logs and hashes for all forensic copies.
- Ensure encryption key backups and secure storage policies in
enterprise settings.

LIST OF REFERENCES
1. https://www.sleuthkit.org/autopsy/
2. https://www.cgsecurity.org/wiki/TestDisk
3. https://github.com/Aorimn/dislocker
4. https://docs.microsoft.com/en-us/windows/security/information-
protection/bitlocker/
5. https://www.forensicswiki.org/wiki/Main_Page

You might also like