Chapter 29 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. Commit to an answer before you look — the "first move" and "is this a wall?" items are ones you want reflexive, because in the field you decide them under time pressure with a powered-on machine in front of you.


Multiple choice

Q1. Why is your password not the key that encrypts the disk? - A) The password is hashed, and the hash encrypts every sector directly. - B) The disk is encrypted with a large, random, machine-generated media key; your password only wraps an intermediate key, which in turn protects that media key. - C) The password is the AES key, simply padded out to 256 bits. - D) "Password" and "key" are the same thing — the distinction is marketing.

Q2. XTS-AES folds each sector's number into the encryption as a "tweak." The forensic consequence is that: - A) each sector can store an extra authentication tag. - B) the same plaintext written to two different sectors produces different ciphertext, so there are no repeated patterns or structure to exploit. - C) the encrypted volume can grow as more data is written. - D) a different AES key is used for every file.

Q3. A volume's first sector begins EB 58 90 2D 46 56 45 2D 46 53 2D. This identifies: - A) an NTFS volume. - B) a LUKS2 partition. - C) a BitLocker volume — the bytes 2D 46 56 45 2D 46 53 2D spell the -FVE-FS- signature. - D) a VeraCrypt container.

Q4. "The strength of the whole system is the strength of its weakest enabled protector." A drive with flawless AES-256 and a 40-character passphrase is still trivially openable if it also has: - A) a second data partition. - B) a TPM-only protector that auto-releases the key at boot, or a recovery key escrowed somewhere you can query. - C) XTS mode enabled instead of CBC. - D) more than one user account.

Q5. For an authorized examiner facing an encrypted drive in a managed enterprise, the correct first move is to: - A) extract the header and launch a GPU brute-force attack. - B) chill the DRAM with inverted canned air for a cold-boot attack. - C) check for an escrowed recovery key — Active Directory / Entra, an institutional FileVault key, or a LUKS admin key slot. - D) demand the password from the suspect.

Q6. A memory-based avenue (live capture, cold boot, or DMA) can recover the encryption key only when: - A) the volume uses AES-128 rather than AES-256. - B) the machine is running with the volume unlocked at the moment of capture. - C) the passphrase is shorter than twelve characters. - D) the media is an SSD rather than a spinning disk.

Q7. aeskeyfind and bulk_extractor's AES scanner locate a key in a RAM image by: - A) reading a plaintext key= string the OS conveniently leaves behind. - B) brute-forcing AES against a block of known plaintext. - C) scanning for byte sequences that form a valid AES key schedule (the expanded round keys), which is internally self-consistent in a way random data is not. - D) querying the TPM over the LPC bus.

Q8. The defining forensic property of a VeraCrypt volume is that it: - A) announces itself with a VERA signature at offset 0. - B) escrows its recovery key to the vendor's cloud. - C) has no identifiable signature — header and data alike are indistinguishable from random noise — which is what enables hidden volumes and plausible deniability. - D) is always detectable by its fixed 512-byte plaintext header.

Q9. Under the U.S. Fifth Amendment, the "foregone conclusion" doctrine turns on whether: - A) the suspect has a prior conviction for a similar offense. - B) the government already independently knows the existence, the suspect's control, and the authenticity of what it seeks — so that compelled production "adds little or nothing." - C) the encryption is strong enough to justify issuing a warrant. - D) the passphrase meets a statutory minimum length.

Q10. A Mac with an Apple T2 or Apple Silicon chip keeps its keys in the Secure Enclave. The practical forensic consequence is that: - A) you can remove the SSD and read it in any external reader. - B) you cannot remove the SSD and read it elsewhere — the keys are bound to that machine's Secure Enclave; there is no chip-off or transplant. - C) FileVault is automatically disabled on those machines. - D) the personal recovery key is laser-etched on the chip.


True/False

Q11. A suspended BitLocker volume is fully protected and cannot be mounted without a secret. (True / False)

Q12. Sound AES-XTS, plus a high-entropy memorized passphrase run through a modern KDF, plus no escrow you can reach, plus no key resident in memory, can render data permanently inaccessible to any examiner regardless of budget or tools. (True / False)


Short answer

Q13. In two or three sentences, explain why "pull the plug" can be the single most expensive reflex in modern forensics when a machine is running with an encrypted volume unlocked.

Q14. In two or three sentences, state the four conditions that together make a volume permanently inaccessible, and explain why "we're still working on it" is the dishonest answer once they all hold.

---

Answer key

Q1 — B. The data is encrypted once, with a large random media key (BitLocker's FVEK) that no human ever sees; your password merely runs through a KDF to wrap an intermediate key (the VMK), which wraps the media key. That two-level design is exactly why you can change a password in a millisecond — only the wrapping is redone — and why a single disk can have many independent ways in.

Q2 — B. The sector number is the tweak, so identical plaintext in different sectors encrypts to different ciphertext, defeating the pattern-leakage that plagued older CBC mode. The result is a volume with no repeated blocks and no recognizable boundaries — the reason a forensic tool sees only uniform, high-entropy noise.

Q3 — C. EB 58 90 is the boot jump/NOP, and 2D 46 56 45 2D 46 53 2D is the ASCII -FVE-FS- BitLocker signature. (NTFS would show 4E 54 46 53 20 20 20 20 = NTFS; LUKS would show 4C 55 4B 53 BA BE; VeraCrypt would show no signature at all.)

Q4 — B. You never attack "the encryption"; you enumerate the protectors and use the weakest one available. A TPM-only protector releases the key automatically at boot, and an escrowed recovery key sits in a directory you can query — either one opens a drive whose passphrase is, by itself, unbreakable.

Q5 — C. The overwhelming majority of successful authorized decryptions never involve a clever attack — they involve finding a recovery key someone already stored. Query the escrow first; the cold-boot, DMA, and brute-force techniques are for when escrow fails, not before.

Q6 — B. A mounted volume's media key must exist in plaintext in RAM so the CPU can decrypt sectors on the fly; power-off purges it within seconds at room temperature. Cipher strength, media type, and passphrase length are irrelevant to whether the key is in memory — only the machine being on and unlocked is.

Q7 — C. An AES key in use is stored as an expanded key schedule, whose round keys are mathematically self-consistent; aeskeyfind and bulk_extractor scan for that structure and print candidate keys, which you then test against the encrypted image. They do not brute-force the cipher and do not rely on a labeled string.

Q8 — C. Where BitLocker shows -FVE-FS- and LUKS shows LUKS\xBA\xBE, a VeraCrypt volume is a 64-byte random salt followed by an encrypted header and an encrypted data area — statistically indistinguishable from wiped free space or a corrupted partition. That ambiguity is the feature: it enables a hidden volume whose very existence cannot be proven.

Q9 — B. Fisher v. United States (1976) holds that if the government already knows the existence, possession, and authenticity of what it seeks, compelled production is non-testimonial and may be ordered. Applied to decryption, the fight is whether the government knows enough about the drive's contents (and that the suspect can decrypt it) for production to add "little or nothing" — and courts have split.

Q10 — B. On T2 and Apple Silicon Macs the internal SSD is always hardware-encrypted at the controller, with keys that never leave the Secure Enclave in plaintext and are bound to that specific chip. The removed SSD is meaningless in another machine, so acquisition must be planned around the live, authenticated device.

Q11 — False. Suspending BitLocker writes the VMK into the metadata as a clear key — an unprotected protector sitting in plaintext on the disk — so a suspended volume mounts with no secret. Always check the encryption state, not just the -FVE-FS- signature, before concluding a drive is locked.

Q12 — True. When the cipher and mode are sound, the only protector is a strong memorized passphrase through a slow KDF, nothing is escrowed, and no key is resident in memory, the only remaining attack is to guess the passphrase — and genuine entropy defeats that exactly as the AES keyspace would. This is encryption working as designed, not a skills gap.

Q13 — Model answer. When the volume is mounted, its media key is sitting in plaintext in RAM, transparently decrypting every read; the instant power is cut, that key is purged and (absent escrow) the drive becomes ciphertext no one can read. So pulling the plug throws away the one thing — the in-memory key — that makes the data accessible, often turning a fully readable machine into a permanent dead end. The correct play is to capture memory (and consider a live image of the mounted volume) before anyone touches the power.

Q14 — Model answer. A volume is permanently inaccessible when all four hold: the cipher and mode are sound (AES-XTS, not a broken scheme); the only protector is a strong, high-entropy, memorized passphrase through a modern KDF; the key is not escrowed anywhere you can lawfully reach; and there is no plaintext key in memory to capture. Once all four are true the only attack is guessing genuine entropy, which will not succeed in any timeframe that matters — so "we're still working on it" misrepresents mathematics as effort and destroys your credibility; the honest finding is "acquired, verified, and inaccessible."

Scoring: 13–14 correct — you can triage an encrypted device fast and honestly, know the first move (check escrow) and the wall (the four conditions), and can brief counsel on compulsion without overstepping. 10–12 — solid, but revisit the key-source priority order and the suspended-clear-key and biometrics-vs-passcode details. 7–9 — you have the vocabulary but not yet the reflexes; re-read "The key-source playbook" and "When the mathematics wins" before you stand in front of a powered-on encrypted machine. Below 7 — re-read the chapter end to end; here the cost of getting it wrong is a destroyed key in RAM, a drive you wrongly call unbreakable while its key sits in Active Directory, or a promise to a court that the mathematics will never let you keep.