The retrieval of data from computer hard drives that have been seized from police busts against suspected criminals are sometimes not straight forward. Typically the incriminating data, which may be important evidence in subsequent trials, is encrypted and quick deleted. The cryptanalysis of what can be recovered from such hard drives is then subject to time-consuming brute-forcing and password guessing. To this end methods for accurate classification of what is encrypted data and what is not is of the essence. Here a procedure for discriminating encrypted data from non-encrypted is derived. Several methods are suggested and their accuracy is evaluated in different ways. Two methods to detect where encrypted data is located in a hard disk drive are detailed using passive change-point detection. The measures of performance of such methods are discussed and a new property for evaluation is suggested. The methods are then evaluated and discussed according to the new performance measure as well as the standard measures.