Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ€” at no additional cost to you.

Chapter 29 โ€” Further Reading

Foundations (๐Ÿ”ฌ / deeper)

  • "Serious Cryptography," 2nd ed. โ€” Jean-Philippe Aumasson (No Starch Press). The clearest modern explanation of AES, block-cipher modes (including XTS), and key-derivation functions (PBKDF2, scrypt, Argon2). Read the chapters on symmetric encryption and KDFs and the whole key-hierarchy idea stops being abstract.
  • FIPS 197 (AES), NIST SP 800-38E (XTS-AES), and IEEE 1619. The primary standards behind every system in this chapter. You do not memorize them, but knowing they exist โ€” and naming them on the stand โ€” is the difference between "it's just encrypted" and expert testimony.
  • "Lest We Remember: Cold Boot Attacks on Encryption Keys" โ€” Halderman et al. (USENIX Security 2008). The original cold-boot paper; short, readable, and the source of the DRAM-remanence facts. Pair it with F-Secure's 2018 update showing the attack still works against modern sleep states.

Approachable explanations (everyone)

  • Microsoft BitLocker documentation (learn.microsoft.com). Protectors, the 48-digit recovery password, manage-bde, Get-BitLockerVolume, Active Directory / Entra escrow, suspend/resume, and auto-unlock โ€” the authoritative source for everything in the BitLocker section.
  • Apple Platform Security Guide (support.apple.com). FileVault, the Secure Enclave, the T2 chip, and why a T2/Apple-Silicon SSD cannot be read off-machine. The single best primer on hardware-bound keys.
  • The cryptsetup / LUKS FAQ and on-disk format spec (gitlab.com/cryptsetup/cryptsetup). LUKS1 vs LUKS2, key slots, Argon2id, and luksDump/luksHeaderBackup. The VeraCrypt documentation (veracrypt.fr) is the companion for hidden volumes and the PIM.
  • ๐Ÿ” aeskeyfind and bulk_extractor (Simson Garfinkel et al.) โ€” GitHub. The open-source AES-key-schedule scanners from the cold-boot lineage. Read each README to understand what they validate (round-key structure) and why that finds a key in noise.
  • ๐Ÿ›ก๏ธ "The Art of Memory Forensics" โ€” Ligh, Case, Levy & Walters (Wiley), and Volatility. The memory-analysis backbone of Chapter 22; the place key extraction is corroborated against live process state.
  • ๐Ÿ” Elcomsoft Forensic Disk Decryptor and Passware Kit Forensic โ€” vendor docs. Commercial tools that ingest a memory dump, hiberfil.sys, or page file and recover the FVEK/VMK for BitLocker, FileVault, TrueCrypt/VeraCrypt, LUKS, and PGP. Their documentation is a fine map of where keys hide.
  • ๐Ÿ›ก๏ธ Hashcat wiki and the John the Ripper "jumbo" suite โ€” bitlocker2john, luks2john, veracrypt2john. The weak-passphrase avenue, with the mode numbers from the chapter (BitLocker -m 22100, LUKS1 -m 14600). The wiki's benchmark pages make the KDF "tax" viscerally real.
  • ๐Ÿ“œ Orin Kerr's writing on compelled decryption and the Fifth Amendment, and EFF's compelled-decryption resources. The clearest lay treatments of the foregone-conclusion split and the biometrics-vs-passcode distinction โ€” read before you ever advise counsel.

Reference (this book)

Do, don't just read

  • Build and break your own. On a machine you own, create a VeraCrypt container and a LUKS volume; run the entropy scanner; read the LUKS header with luksDump; confirm the VeraCrypt container shows no signature at all. Feeling the difference on your own data beats any diagram.
  • Watch a suspended BitLocker volume mount with no secret. Encrypt a test drive, manage-bde -off-suspend it, and see it open clear-key; then resume and watch it re-lock. You will never again mistake "suspended" for "protected."
  • Recover your own key from RAM. On a VM, leave an encrypted volume unlocked, capture memory with WinPmem, run aeskeyfind, and pull out your key. The in-memory key stops being theory the moment you hold it.
  • Find your real recovery key. Retrieve your own BitLocker key from your Microsoft account or your org's escrow โ€” learn the workflow before a case depends on it.

Next: Chapter 30 โ€” Anti-Forensics: from suspects who lock the data away to suspects who try to erase, hide, and falsify it โ€” and the traces every such effort leaves behind.