Relevance for encrypted WinRE

joelmagnusson · January 14, 2022, 9:58pm

Just wanted to see if someone has relevance for finding encrypted WinRE. Did a lot of Googling and can’t find.

joelmagnusson · January 15, 2022, 12:45am

Getting closer

Q: number of select objects ("* from win32_EncryptableVolume") of WMIs "root\CIMv2\Security\MicrosoftVolumeEncryption"
A: 2
T: 36822

Did a manage-bde-status on one of the machines and it shows that Windows RE Tools Volume encrypted.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume \?\Volume{2daac542-c23a-40a0-82c3-56fb523ae820}\ [Windows RE Tools]
[Data Volume]

Size:                 0.29 GB
BitLocker Version:    2.0
Conversion Status:    Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method:    AES 256
Protection Status:    Protection On
Lock Status:          Unlocked
Identification Field: Unknown
Automatic Unlock:     Enabled
Key Protectors:
    External Key (Required for automatic unlock)
    Numerical Password

Volume C: [OSDisk]
[OS Volume]

Size:                 476.02 GB
BitLocker Version:    2.0
Conversion Status:    Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method:    AES 256
Protection Status:    Protection On
Lock Status:          Unlocked
Identification Field: Unknown
Key Protectors:
    TPM
    Numerical Password

JasonWalker · January 15, 2022, 1:54am

For the Encryption Status I think the relevance here would be helpful

I don’t have any ReFS to check though

joelmagnusson · January 15, 2022, 2:41am

@JasonWalker thank you so much for the pointer

I ended up with this: (thanks to you and @alinder)

Q: Exists (tuple string items (integer values of selects (“EncryptionMethod from win32_EncryptableVolume WHERE DriveLetter!=‘C:’”) of WMIs “root\CIMv2\Security\MicrosoftVolumeEncryption”) of “None, AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER, AES_128, AES_256, HARDWARE_ENCRYPTION, XTS_AES_128,XTS_AES_256”)
A: True
T: 34819

joelmagnusson · January 21, 2022, 10:37pm

Actually this works the best.

if exists it whose (it is not “None” ) of (tuple string items (integer values of selects (“EncryptionMethod from win32_EncryptableVolume WHERE DriveLetter=NULL”) of WMIs “root\CIMv2\Security\MicrosoftVolumeEncryption”) of “None, AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER, AES_128, AES_256, HARDWARE_ENCRYPTION, XTS_AES_128,XTS_AES_256”)then true else false