Regardless of *how* the encrypted files were hidden, probably the best way would be running stochastic analysis on the entire disk content (in low level). Any sectors on the disk containing some very random data should be then linked back to file system records. This will identify encrypted files pretty reliable. At least that's exactly what we're doing in our own tool, Belkasoft Evidence Center, to detect encrypted files.
↧