Chapter 29 — Exercises

A mix of concept checks, hands-on labs, calculations, and judgment calls — because encryption is the one chapter where the most important skill is knowing, fast and honestly, which door is open and which is a wall. (answer in Appendix) = worked solution in Answers. ⭐ = stretch. Hands-on labs use data you own or sanctioned practice images (Appendix J — Practice Images and Lab Setup); never attack a drive you are not authorized to open. Signatures and offsets are collected in Appendix A — File Signatures Reference; the legal citations are in Appendix E — Legal Frameworks Reference. Every "crack a drive" lab below is built around a passphrase you set, so the exercise is about the mechanism and the record, not about defeating anyone's privacy.


Group A — How full-disk encryption actually works

29.1 In three or four sentences, explain why your password is not the encryption key, naming the layers of the hierarchy in order (the secret you supply → the intermediate key it wraps → the media key that actually encrypts the sectors). Then answer the question that proves you understand the design: why can a user change their BitLocker password on a 2 TB drive in under a second, when re-encrypting 2 TB would take hours? (answer in Appendix)

29.2 Disk encryption uses a length-preserving sector mode (XTS-AES) rather than a general-purpose mode that adds a nonce and tag. (a) Why must the mode be length-preserving — what would break if sector 4,194,304 needed to store an extra 28 bytes after encryption? (b) XTS folds the sector number into the math as a "tweak." Explain what that buys you, and why the practical consequence — the same plaintext written to two sectors produces different ciphertext — is exactly why your carving and file-system tools find no structure to grab onto. (c) Older BitLocker used AES-CBC with an "Elephant diffuser." In one sentence, what pattern-leakage problem of naive CBC does XTS solve?

29.3(Calculate.) A 128-bit AES key has 2¹²⁸ ≈ 3.4 × 10³⁸ possibilities. Suppose all 8 billion people on Earth each ran 1 billion machines, each testing 1 billion keys per second. (a) How many keys per second is that, and roughly how many years to exhaust the 128-bit keyspace? (b) Compare that figure to the age of the universe (~1.4 × 10¹⁰ years). (c) In one sentence, state the lesson this number teaches about which part of an encryption system every realistic attack in this chapter targets — and why no attack targets the AES key itself.


Group B — The key hierarchy, protectors, and the TPM

29.4 Name the three families of key protector ("something you know / have / the platform proves") and give one concrete example of each from a real system. Then explain what a TPM does when it seals a key to the PCRs: what is being measured, what condition must hold for the TPM to release the key, and why this lets a BitLocker laptop boot straight to the login screen with no pre-boot password. (answer in Appendix)

29.5 (Judgment — the weakest door.) A drive is encrypted with flawless AES-256 and an unguessable 40-character passphrase — and it also has a TPM-only protector that releases the key automatically at boot, and its 48-digit recovery password is escrowed in Active Directory. Rank the three protectors by how hard each is for an authorized examiner to use, and state the chapter's one-line principle this illustrates. Then flip it: as the defender hardening this machine, what do you change, and which single protector were you actually relying on for security all along?

29.6(Calculate — the KDF tax.) Two volumes use a correct cipher but different key-derivation functions. Volume X uses PBKDF2 and your GPU rig manages 200,000 guesses/second against it; Volume Y uses Argon2id tuned to 1 GiB of memory per guess and your same rig now manages 8 guesses/second. (a) A weak 6-character lowercase-letter password has 26⁶ ≈ 3.1 × 10⁸ candidates — estimate the worst-case crack time against X and against Y. (b) A six-word diceware passphrase has ≈ 2⁷⁷ candidates — is either volume crackable? (c) State, in one sentence, what this exercise proves about what you are really attacking when you "brute-force a disk."


Group C — Identify the system on sight (hands-on)

29.7 (Analyze these images.) Four 16-byte specimens were carved from the first sector of four volumes. Identify each system (or "no system / candidate encrypted container"), citing the exact bytes that decide it. (answer in Appendix)

A  00000000: eb58 902d 4656 452d 4653 2d00 0200 0800
B  00000000: 4c55 4b53 babe 0002 0000 0000 0000 0000
C  00000000: eb52 904e 5446 5320 2020 2000 0208 0000
D  00000000: 7f3a c41e 9b62 d508 11ac 7e93 4f20 e6bb

For specimen B, state the LUKS version; for specimen D, explain why you can suspect but generally cannot prove what it is, and name the one measurement that flags it as a candidate.

29.8 (Hands-on lab — entropy triage.) On a test machine you own, create (i) a small VeraCrypt container, (ii) a LUKS partition (a loopback file is fine), (iii) a normal NTFS or ext4 image, and (iv) a ZIP archive of ordinary documents. Run the chapter's Shannon-entropy scanner (it is in Appendix B — Python Forensics Toolkit) against all four. (a) Record the entropy of each and explain why the VeraCrypt container, the LUKS data area, and the ZIP all sit near 7.99 while the file-system image swings wildly and dips toward 0. (b) Why can high entropy not, by itself, prove a region is an encrypted volume? (c) Confirm the scanner opened every target read-only and say why that matters even in a lab.

29.9(Read the header.) Run cryptsetup luksDump against your LUKS test volume from 29.8 and interpret the output. (a) Which cipher and mode, which KDF, and which key slots are populated? (b) Add a second passphrase (cryptsetup luksAddKey) and re-dump — show that a second slot is now live, and explain what that means investigatively (several custodians, one disk). (c) Back up the header with luksHeaderBackup and explain, in chain-of-custody terms, why backing up the small, fragile header before any operation is non-negotiable.

29.10 (Judgment — the Mac you can't take apart.) A 2021 MacBook Pro (Apple Silicon, M1) and a 2017 MacBook Air (Intel, no T2) arrive in unrelated matters, both powered off, both FileVault-on. (a) Explain why you might remove and image the 2017 Air's SSD in another machine but absolutely cannot do so with the M1. (b) Given that the M1's internal SSD is always hardware-encrypted at the controller, what does turning "FileVault on" actually change? (c) State how this reshapes your acquisition plan — what you must have in hand (a credential, or the machine live and authenticated) before the device is ever powered down — and which fdesetup / diskutil apfs commands you would run in a live, authorized session.


Group D — When you have authorization: the key-source playbook

29.11 (Write the procedure — the quiet, common win.) A domain-joined Windows laptop is imaged through a write-blocker; its system volume shows the -FVE-FS- signature. Write the ordered command sequence an authorized domain examiner runs to (a) enumerate the protectors and read the Recovery Key ID, (b) retrieve the matching 48-digit recovery password from the computer object's msFVE-RecoveryInformation in Active Directory, and (c) unlock a working copy of the image. Name the tool at each step (manage-bde, Get-ADObject or the BitLocker Recovery Password Viewer, etc.), and state which step you do first and why. (answer in Appendix)

29.12 (Recover from this image — the key in RAM.) A lawful live capture produced WEB07-mem.raw (16 GiB) from a running host whose BitLocker volume was unlocked at the moment of acquisition; you separately hold the locked dead-box image WEB07-disk.e01. Outline the full recovery path: (a) the command(s) that scan the memory image for a valid AES key schedule (aeskeyfind, bulk_extractor -E aes); (b) what you do with each candidate key to confirm which one is real; (c) how you then mount the encrypted disk image read-only with the recovered key. Finally, state in one sentence the single fact about the live host at capture time that made this whole path possible — and what would have destroyed it.

29.13 (Mechanics — the closing window's exotic cousins.) Live capture is the common memory avenue; cold-boot and DMA are its situational cousins. (a) Explain why a cold-boot attack works at all — what DRAM remanence is, why chilling the chips (the 2008 "Lest We Remember" research) extends it from seconds to minutes, and what you do in that window. (b) Explain how a DMA attack (FireWire / Thunderbolt / PCIe; tools such as Inception and PCILeech) reads RAM without the CPU or OS, and why Thunderspy extended the concern to Thunderbolt 3. (c) Name the modern mitigations — an IOMMU (VT-d / AMD-Vi) and Windows Kernel DMA Protection — and state, in one sentence, why these exotic attacks are mostly for older or unhardened hardware while live capture remains the workhorse.

29.14 (Recover from this image — reservoirs of once-resident RAM.) Even without a live capture, a disk image can hold the key in a file that used to be RAM. (a) Name the three reservoirs the chapter cites — hiberfil.sys, the page/swap file, and the crash dump MEMORY.DMP — and explain in one line each why a key might be sitting in it. (b) You have a dead-box image of a laptop that was hibernated (not shut down) while its BitLocker volume was unlocked. Outline how you would extract hiberfil.sys, scan it for an AES key schedule, and apply a recovered key — and state the honest caveat about whether the key will actually be present. (c) Why does this make "was it shut down, slept, or hibernated?" a question worth asking at the scene?

29.15 (Calculate and verify the hash — the decryption record.) You unlock a working copy of an encrypted image and mount the decrypted volume read-only. Draft the decryption record for your notes, modeled on the chapter's, capturing: the volume and system, the protectors present, the key source and its provenance (where the key came from, when, who, under what authority), the action taken (unlocked working copy, mounted read-only), and the integrity block — the SHA-256 of the encrypted image (unchanged) and the SHA-256 of the decrypted working copy you analyzed. Then answer: the defense asks whether unlocking altered the evidence. Which two hashes, and which one sentence, answer them?

29.16(Build the decision tree.) Distill "Sources 1–4" into a one-page flowchart an examiner can follow at intake: Is it escrowed (AD/Entra/iCloud/institutional/key-slot)? → Is the host running with the volume unlocked right now? → Is there a memory image / hiberfil / pagefile / crash dump to mine? → Is the volume suspended or holding a clear key? → Is the passphrase plausibly weak and the KDF cheap? → Is there a lawful compulsion path? For each branch, write the action on "yes" and the next question on "no," and mark the single branch that is both the most common success and the right first move every time.


Group E — When the mathematics wins (limitations)

29.17 State the four conditions that, when all true at once, make a volume permanently inaccessible (sound cipher/mode; only a strong memorized passphrase through a modern KDF; no escrow you can lawfully reach; no plaintext key in memory). For each condition, name one real-world fact that, if you discovered it, would break the wall and give you a way in. (answer in Appendix)

29.18 (Calculate — is this a wall?) A powered-off, personal VeraCrypt system drive uses an AES-Twofish cascade, a high PIM, no escrow, and a passphrase the suspect memorized. (a) If the passphrase is a truly random 12-character string from a 95-character set, estimate its entropy in bits (hint: log₂(95¹²)) and compare it to the strength of the AES key itself. (b) Given the four conditions of 29.17, classify this drive. (c) Write the honest one-line finding you put in the report — and explain why "we are still working on it" would be the dishonest answer.

29.19(Judgment — the desperate client.) A grieving client brings you the only copy of a decade of family photos and a late parent's letters, on an external drive they themselves encrypted with BitLocker and whose recovery key they never saved and whose password they have forgotten. The drive is sound; the passphrase was strong; there is no escrow. Explain, in the words you would actually use with them, (a) why you cannot recover the data, (b) why a competitor advertising "we crack any drive, no questions asked" is selling either a fraud or an unauthorized-access service, and (c) how the Recovery vs. Forensics lens makes this the gentlest-but-most-final form of the same wall a forensic examiner hits — tying to theme #5 and to anchor case #1.


29.20 Explain the strongbox analogy at the heart of U.S. compelled-decryption law: why courts have held the state may compel the key to a strongbox but not the combination to a safe, and which one a memorized passphrase resembles. Then define the "foregone conclusion" doctrine (from Fisher v. United States, 1976) and state, in one sentence, the exact question a court asks to decide whether decryption may be compelled. (answer in Appendix)

29.21 The case law splits. For each of the following, state whether decryption was compelled or not compelled, and the one-line reason: In re Boucher (D. Vt. 2009); United States v. Doe (11th Cir. 2012); Commonwealth v. Davis (Pa. 2019); State v. Andrews (N.J. 2020). Then explain why an examiner cannot simply tell counsel "the law says X" about compelling a password.

29.22 (Judgment — biometrics vs. passcode, and the clock.) Several courts treat compelling a fingerprint or face-scan as non-testimonial (a physical characteristic) while a memorized passcode is testimonial (the combination). (a) Explain the tactical consequence for a responder at the scene of a running, recently unlocked phone. (b) Why does the legal window close on its own after a reboot or a timeout — what falls back to requiring the passcode? (c) Note where the warrant requirement of Riley v. California (2014) sits on top of all this, and why "seize it unlocked" is not the same as "search it without authority."

29.23(Cross-border.) An examiner working an international matter must know which regime applies before advising on "just compel the password." Contrast the U.S. position with the United Kingdom (RIPA 2000, Part III — sections 49 and 53), and name two other countries with key-disclosure laws that criminalize refusal. Then explain why VeraCrypt hidden volumes are engineered to defeat even a compulsion order — what a holder can truthfully surrender, and why a court cannot find they withheld anything.


Group G — Putting it together: report, record, and the case file

29.24 (Write the finding — both endings.) Draft the two one-paragraph encryption findings an examiner might write for a report. (a) The open ending: "decrypted via [source]; analysis proceeds," with full key provenance and both images' hashes. (b) The wall ending, written clinically: "acquired, verified, and inaccessible; recoverable only via [the user's passphrase / an escrowed key / a court-ordered disclosure]." Explain why the second is a complete and professional finding, not an admission of failure — and why overreaching past that line is where examiners lose credibility. (answer in Appendix)

29.25 (Judgment — three drives, three outcomes.) Re-read the chapter's worked example. Three encrypted items arrive: a domain-joined corporate laptop (BitLocker, escrowed); a personal laptop seized powered off (BitLocker TPM+PIN, no escrow); and a running desktop with a mounted VeraCrypt volume. For each, name the single decisive factor that determines the outcome, the key source you pursue (or the wall you hit), and roughly how long encryption adds to the case. Which two items are separated by one decision at the scene, and what is that decision?

29.26(The counterfactual.) In the worked example, Item C (the running VeraCrypt desktop) was solved because RAM was captured before power-off. Describe, step by step, what Item C becomes if officers reflexively shut it down — walk it through the four key-sources and show each one closing — and end at the war-story wall. Then write the two-sentence briefing you would give first responders so that "Item C" never becomes "Item B."

29.27 (Spot the mistake.) For each, name the chapter "common mistake" and the correct move: (a) an examiner reports a managed-enterprise BitLocker laptop as "encrypted, inaccessible" without querying AD; (b) a responder pulls the plug on a running machine with a mounted, unlocked LUKS volume "to preserve it"; (c) an examiner plans to chip-off the SSD from an Apple-Silicon MacBook to read it in a reader; (d) an examiner unlocks and analyzes the original evidence drive rather than a working copy; (e) an examiner sees the -FVE-FS- signature and concludes the drive is safely locked, without checking whether BitLocker is merely suspended.

29.28 (Chain of custody for a recovered key.) A key — whether from RAM, from AD escrow, or handed over by a suspect under a court order — is itself evidence. Write the chain-of-custody / provenance note for a recovered key, capturing where it came from, when, who retrieved it, under what authority, what you applied it to (a read-only working copy), and the hashes that show the original was unchanged. Explain why a key with no documented provenance can poison the admissibility of everything it unlocked.

29.29 (Progressive project — the encryption assessment.) Add the encryption assessment to your Forensic Case File (the project running since Chapter 5, assembled in Chapter 38). Produce all five artifacts the chapter specifies: (1) the entropy/signature scan output identifying any encrypted volumes by signature (or the deliberate lack of one); (2) the protector/key-slot/KDF inventory for each; (3) the lawful-key-source enumeration for this case's authority (escrow? memory image? hiberfil/pagefile? suspended/clear key? weak-password attack? compulsion path?), marking which are present and which absent; (4) the decryption record or the clinical inaccessibility finding; (5) updated hashes for any decrypted working copy. Save them to the case-file folder. In one sentence, state why an investigation that does not answer the encryption question — even with "nothing was encrypted" or "it is encrypted and inaccessible" — is not actually finished.


Self-check. You have mastered this chapter when you can, without notes: explain the key hierarchy and say why a password change never re-encrypts the disk; identify BitLocker, LUKS, and VeraCrypt (and "no signature") from a hex dump and an entropy reading; walk the four key-sources in priority order and name the first move every time (check for escrow); state the four conditions of the unbreakable wall and write the clinical "acquired, verified, and inaccessible" finding without flinching; and explain the foregone-conclusion debate and the biometrics-vs-passcode distinction well enough to tell counsel what is technically required without overstepping the legal question. If the difference between "I can't get in" and "no one can get in" still feels fuzzy, re-read "When the mathematics wins" before you ever promise anyone an outcome. Next, Chapter 30 — Anti-Forensics turns from suspects who encrypt to suspects who try to erase, hide, and falsify — and to the traces those efforts leave behind.