Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 29 โ Further Reading
Foundations (๐ฌ / deeper)
- "Serious Cryptography," 2nd ed. โ Jean-Philippe Aumasson (No Starch Press). The clearest modern explanation of AES, block-cipher modes (including XTS), and key-derivation functions (PBKDF2, scrypt, Argon2). Read the chapters on symmetric encryption and KDFs and the whole key-hierarchy idea stops being abstract.
- FIPS 197 (AES), NIST SP 800-38E (XTS-AES), and IEEE 1619. The primary standards behind every system in this chapter. You do not memorize them, but knowing they exist โ and naming them on the stand โ is the difference between "it's just encrypted" and expert testimony.
- "Lest We Remember: Cold Boot Attacks on Encryption Keys" โ Halderman et al. (USENIX Security 2008). The original cold-boot paper; short, readable, and the source of the DRAM-remanence facts. Pair it with F-Secure's 2018 update showing the attack still works against modern sleep states.
Approachable explanations (everyone)
- Microsoft BitLocker documentation (learn.microsoft.com). Protectors, the 48-digit recovery password,
manage-bde,Get-BitLockerVolume, Active Directory / Entra escrow, suspend/resume, and auto-unlock โ the authoritative source for everything in the BitLocker section. - Apple Platform Security Guide (support.apple.com). FileVault, the Secure Enclave, the T2 chip, and why a T2/Apple-Silicon SSD cannot be read off-machine. The single best primer on hardware-bound keys.
- The cryptsetup / LUKS FAQ and on-disk format spec (gitlab.com/cryptsetup/cryptsetup). LUKS1 vs LUKS2, key slots, Argon2id, and
luksDump/luksHeaderBackup. The VeraCrypt documentation (veracrypt.fr) is the companion for hidden volumes and the PIM.
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐
aeskeyfindandbulk_extractor(Simson Garfinkel et al.) โ GitHub. The open-source AES-key-schedule scanners from the cold-boot lineage. Read each README to understand what they validate (round-key structure) and why that finds a key in noise. - ๐ก๏ธ "The Art of Memory Forensics" โ Ligh, Case, Levy & Walters (Wiley), and Volatility. The memory-analysis backbone of Chapter 22; the place key extraction is corroborated against live process state.
- ๐ Elcomsoft Forensic Disk Decryptor and Passware Kit Forensic โ vendor docs. Commercial tools that ingest a memory dump,
hiberfil.sys, or page file and recover the FVEK/VMK for BitLocker, FileVault, TrueCrypt/VeraCrypt, LUKS, and PGP. Their documentation is a fine map of where keys hide. - ๐ก๏ธ Hashcat wiki and the John the Ripper "jumbo" suite โ
bitlocker2john,luks2john,veracrypt2john. The weak-passphrase avenue, with the mode numbers from the chapter (BitLocker-m 22100, LUKS1-m 14600). The wiki's benchmark pages make the KDF "tax" viscerally real. - ๐ Orin Kerr's writing on compelled decryption and the Fifth Amendment, and EFF's compelled-decryption resources. The clearest lay treatments of the foregone-conclusion split and the biometrics-vs-passcode distinction โ read before you ever advise counsel.
Reference (this book)
- Appendix A โ File Signatures Reference: the
-FVE-FS-andLUKS\xBA\xBEsignatures and why VeraCrypt has none. - Appendix E โ Legal Frameworks Reference: Fifth Amendment, foregone conclusion, and foreign key-disclosure laws, with citations.
- Appendix B โ Python Forensics Toolkit and Appendix H โ Command-Line Reference: the entropy scanner, plus
manage-bde,cryptsetup,fdesetup, andaeskeyfind. - Chapter 15 โ Live Response and Triage and Chapter 25 โ The Legal Framework: the capture-the-key decision and the law beneath compulsion.
Do, don't just read
- Build and break your own. On a machine you own, create a VeraCrypt container and a LUKS volume; run the entropy scanner; read the LUKS header with
luksDump; confirm the VeraCrypt container shows no signature at all. Feeling the difference on your own data beats any diagram. - Watch a suspended BitLocker volume mount with no secret. Encrypt a test drive,
manage-bde -off-suspend it, and see it open clear-key; then resume and watch it re-lock. You will never again mistake "suspended" for "protected." - Recover your own key from RAM. On a VM, leave an encrypted volume unlocked, capture memory with WinPmem, run
aeskeyfind, and pull out your key. The in-memory key stops being theory the moment you hold it. - Find your real recovery key. Retrieve your own BitLocker key from your Microsoft account or your org's escrow โ learn the workflow before a case depends on it.
Next: Chapter 30 โ Anti-Forensics: from suspects who lock the data away to suspects who try to erase, hide, and falsify it โ and the traces every such effort leaves behind.