Perhaps a more automated approach would be to calculate the entropy for all your files, and raise an alarm if the level is uniformly high.
I don't have an encrypted system to test on, so I can't really guess what a suitable threshold would be, but here's a sketch.
Brief experimentation reveals that zip files have an entropy just below 8.0 (like 7.99), while I see values from near 0 to slightly above 7 for regular files of various types. Some PDFs seem to be close to 7.9 (probably they contain compressed member structures?) and various streaming formats like MP4 also come very close to 8.0. But the important question really is whether you have files with a low value somewhere. Various JSON and log files I tested on get a value around 5.
import os
# v v v from http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html
# with a very minor tweak for Python 3
import math
def H(data):
if not data:
return 0
entropy = 0
for x in range(256):
p_x = float(data.count(bytes([x])))/len(data)
if p_x > 0:
entropy += - p_x*math.log(p_x, 2)
return entropy
# ^ ^ end copy/pasted entropy code
maxent, minent = 0.0, 8.0
maxfile, minfile = None, None
for curdir, dirs, files in os.walk("/"): # or "C:/" for Windows victims
for filename in files:
curfile = os.path.join(curdir, filename)
try:
with open(curfile, "rb") as contents:
entropy = H(contents.read())
if entropy > maxent:
maxent = entropy
maxfile = curfile
if entropy < minent:
minent = entropy
minfile = curfile
except (FileNotFoundError, PermissionError, OSError) as exc:
print(f"{curfile}: skipped: {exc}")
print(f"max entropy {maxent} ({maxfile})")
print(f"min entroy {minent} ({minfile})")
Entropy calculation function from the excellent http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html and updated for Python 3.
For full-disk scanning, you will probably want to run this with root or admin privileges.