eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.

It is designed to be ran live on a Linux box where eCryptfs is encountered and the source directory should be the files containing the encrypted files of the lower filesystem, not the mounted files in the higher filesystem (e.g. /home/user/.Private instead of /home/user/Private). The files can also be hashed, or not, at the time of the scan (it scans quicker without hashing, obviously).

Future plans are to incorporate a dictionary attack system of the wrapped-passphrase file and also a "hunting" mode, wherein it will scan for and flag eCryptfs encrypted files for the user.

There is also a Windows binary, if the encrypted files are exported out from the forensic image. Te directory must not contain any other files than eCryptfs files. If it does, the XOR file type check fails and causes the scan to stop.