Chapter 29 — Key Takeaways
The big idea
Strong, correctly used encryption is the one place in this book where the toolkit stops — and your professionalism is measured not by what you recover but by how precisely you understand why you can't, and which lawful door might still open. Encryption turns every sector into high-entropy noise with no structure to carve or parse, so deleted ≠ destroyed finally meets its one true exception: the data is all still there, and without the key that buys you nothing. But the password is never the key. A key hierarchy wraps a large random media key inside an intermediate key inside one or more protectors, and the whole edifice is only as strong as its weakest enabled protector. You never attack AES; you enumerate the protectors and use the one you are authorized to use — or you recognize, fast and honestly, that none exists.
The key hierarchy — the idea that explains everything
- Your password does not encrypt the disk. A random media key (BitLocker's FVEK) encrypts every sector with AES in XTS mode; your password, a recovery key, a TPM, or a startup key merely wraps an intermediate key (the VMK) that wraps the media key.
- That is why changing a password never re-encrypts the disk — only the wrapping is redone — and why one disk can have many independent ways in (BitLocker "key protectors," LUKS "key slots," FileVault user/recovery keys).
- TPM-only auto-releases the key at boot; TPM+PIN gates it on a human secret. Convenience features (auto-unlock, suspended clear keys) are doors an examiner can later walk through.
The four systems at a glance
| System | Signature on disk | Default crypto | The key source that most often helps |
|---|---|---|---|
| BitLocker | -FVE-FS- |
XTS-AES-128 | 48-digit recovery password escrowed in AD / Entra / MS account |
| FileVault 2 | APFS encryption flag | AES-XTS | iCloud personal key or institutional FileVaultMaster.keychain |
| LUKS | LUKS\xBA\xBE (readable header) |
aes-xts-plain64, Argon2id | an added admin key slot (luksDump shows slots) |
| VeraCrypt | none — by design | AES/Serpent/Twofish + PIM | usually none; a key recovered from memory |
T2 and Apple-Silicon Macs bind keys to the Secure Enclave — no chip-off, no transplant; plan acquisition around the live, authenticated machine.
The key-source playbook (in priority order)
- Escrow first — the quiet, common win. AD/Entra, an institutional FileVault key, a LUKS admin slot, a personal Microsoft/iCloud key. Query it before any clever attack; this is where most authorized decryptions actually succeed.
- Keys in memory — live capture, cold-boot, or DMA — but only if the machine is running with the volume unlocked. Power-off purges the key in seconds. This is why "don't pull the plug" can be the most expensive reflex in modern forensics.
- Extract the key from a RAM image,
hiberfil.sys, page file, or crash dump withaeskeyfind,bulk_extractor, Elcomsoft, or Passware (they validate the AES key schedule, not the cipher). - Implementation weaknesses — TPM-only bus sniffing, suspended clear keys, weak passphrases via
*2john+ Hashcat — all throttled by deliberately slow KDFs, so only careless secrets fall.
When the mathematics wins
When all four hold, the volume is permanently inaccessible — and that is encryption working as designed, not a skills gap:
- sound cipher and mode (AES-XTS), so no cryptographic shortcut;
- the only protector is a strong, high-entropy, memorized passphrase through a modern KDF;
- no escrow you can lawfully reach; and
- no plaintext key in memory to capture.
The honest finding — "acquired, verified, and inaccessible" — is a complete and professional result. Overreaching past it is where examiners lose credibility.
The legal last door
When every technical door is shut, the last one is the law. In the U.S. the Fifth Amendment fight turns on the foregone-conclusion doctrine (a memorized passphrase is the "combination," not the "key"), and courts are split. Biometrics may be compellable where a passcode is not — so the unlock window can close on a reboot. Abroad, key-disclosure laws (UK RIPA, France, Australia, India) jail those who refuse. Your job is to tell counsel exactly what is technically required — never to argue the constitutional question yourself.
You can now…
- ☐ Explain the key hierarchy and why changing a password never re-encrypts the disk.
- ☐ Identify BitLocker, FileVault, LUKS, and VeraCrypt (or "no signature") by disk artifact and entropy, and enumerate their protectors.
- ☐ Walk the four key-sources in priority order and name the first move every time — check for escrow.
- ☐ Recognize the four-condition wall instantly and write the clinical "acquired, verified, and inaccessible" finding.
- ☐ Brief counsel on the foregone-conclusion debate and biometrics-vs-passcode timing without overstepping the legal question.
Looking ahead
Chapter 30 — Anti-Forensics. From suspects who encrypt to suspects who try to erase, hide, and falsify — wiping, timestomping, log deletion, steganography — and, in keeping with theme three, the tell-tale trace each leaves for the examiner who knows where to look.
One sentence to carry forward: You never break the encryption — you find the key you are authorized to use, or you state, precisely and without apology, that there isn't one.