Tuesday, June 25, 2024
HomeCyber Securitysix strategies – Sophos Information

six strategies – Sophos Information

This text explains varied strategies and available instruments for extracting knowledge from an encrypted digital disk. For incident-response conditions wherein your complete digital disk has been encrypted, these instruments and strategies might – might – allow the investigating group to retrieve knowledge from the encrypted system.

Efforts to extract knowledge from encrypted digital disks can probably result in a number of constructive outcomes: recovering buyer knowledge that’s irretrievable by way of customary strategies, serving to rebuild virtualized buyer infrastructure that has been compromised, and / or enriching an incident investigation timeline. To date, we’ve used these strategies efficiently in DFIR investigations involving the LockBit, Faust / Phobos, Rhysida, and Akira ransomware teams.

We’ll say this at first of the article and we’ll say it once more on the finish: Outcomes usually are not assured. No data-extraction technique in existence is for certain to yield full knowledge from an encrypted VM. We will even spotlight that whereas these strategies have seen fairly a excessive success price in extracting forensic knowledge that’s invaluable for the investigation (reminiscent of occasion logs, registry forensics, and the like), the success price of retrieving knowledge that can be utilized as a part of the restoration strategy of manufacturing methods, reminiscent of databases, is way decrease.

We strongly advocate that any restoration makes an attempt ought to be carried out on “working copies” and never the originals, lest the makes an attempt trigger unintended additional injury to the units.

Within the subsequent part we’ll focus on wherein conditions retrieval could also be doable and to what extent. After that, we’ll checklist some components to think about as you choose which strategies you’ll try. Lastly, we’ll have a look at every technique, itemizing the conditions (the instruments required to try the strategy; all are required) and flagging different concerns. Within the dialogue of probably the most labor-intensive technique, we’ll stroll via the small print of the method. On this article, references to “digital disks,” “VM’s,” or “disk photographs” all confer with the identical factor and could be any picture of a disk reminiscent of VHD, VHDX, VMDK, RAW, and so forth. All six strategies apply to Home windows; a couple of additionally may match on Linux, and we’ll be aware these in every case.

What’s file / disk encryption?

When ransomware encrypts a digital disk (or any file), the info has been basically randomized, rendering the file unreadable by the working system. Probably the most well-known technique of decrypting a file (returning the file to its authentic, readable state) is by way of a decryptor, a software program device or program designed to reverse the method of encryption, making encrypted recordsdata readable once more.

In ransomware assaults, the decryptor is created and managed by the menace actor. In these conditions, except the ransom is paid or the decryptor turns into publicly accessible, different strategies of information restoration have to be thought of.

Ransomware binaries prioritize velocity over thorough encryption. Encrypting complete recordsdata could be too time-consuming, so the attackers goal to inflict most injury swiftly, minimizing the window for intervention. Consequently, whereas smaller recordsdata like paperwork are normally totally encrypted, bigger ones reminiscent of digital disks might have vital parts left unencrypted. This supplies investigators with alternatives to make use of various strategies for extracting info from these digital disks.

Which technique to make use of: Issues

There are a number of strategies that can be utilized when seeking to extract knowledge from an encrypted Home windows VM. (A number of of those strategies are relevant to Linux restoration makes an attempt as nicely, and we’ll point out these.) On this article we’ll cowl six:

  • Methodology 1: Mounting the drive
  • Methodology 2: RecuperaBit
  • Methodology 3: bulk_extractor
  • Methodology 4: EVTXparser
  • Methodology 5: Scalpel, Foremost, and different file-recovery instruments
  • Methodology 6: Handbook carving of the NTFS partition

Which to strive first? The next six concerns might assist you decide which technique is acceptable.

File dimension
Expertise has proven that the bigger the scale of the digital disk, the better the prospect of profitable restoration. For Home windows machines, that is largely as a result of most VMs could have a number of partitions, normally three — restoration, boot, and the C: (user-visible) partition. (For this text, let’s assume the drive is mapped to the standard C:.) The primary two partitions maintain little knowledge of use for an incident investigation, however as a result of encryption generally encrypts the primary few bytes of the VM, solely these partitions find yourself encrypted.

This, subsequently, typically leaves the C: partition, the place buyer knowledge and potential forensic knowledge is housed, untouched. This may also help investigators to rebuild a compromised digital machine and enrich an incident investigation.

Conversely, if the VM file is comparatively small, the chance of recovering knowledge is lessened. Nonetheless, there nonetheless could also be a chance to reap occasion logs or registry hives.

As with every different downside in incident response, there exist a number of strategies and instruments for tackling the identical difficulty. Some instruments might carry out higher than others relying on the kind of encryption. It’s price making an attempt a number of instruments to get the end result you want in case your first try fails or solely partially works.

Additionally it is necessary to notice that instruments do cease getting up to date and / or supported, so think about in search of extra instruments not talked about on this information. The instruments that we’re utilizing are third-party instruments, or in some circumstances instruments which can be already a part of Home windows or Linux (this contains Home windows Subsystem for Linux [WSL]). All through this text and in our on a regular basis investigations, we acknowledge the good contribution the creators of these instruments have made to protection efforts, particularly in these circumstances wherein the instruments weren’t designed with encryption in thoughts.

The time accessible to finish the duty is one thing price contemplating; the {hardware} / gear you could have accessible might play an element on this. As an example, guide carving (Methodology 6) is one accessible possibility, however this will take a very long time; particularly, it might require a number of processor energy, which may decelerate your machine in the course of the course of. This might result in you not with the ability to use the machine you’re utilizing for forensic examination for different day by day duties while this course of completes. (Due to this, if it’s not time-sensitive, we advocate you begin the guide carving course of in the direction of the top of the working day and go away your machine operating in a single day.) Completely different options take various quantities of time and this must be thought of.

Obtainable cupboard space ought to be factored into your determination. Handbook carving, as an illustration, can require fairly a little bit of cupboard space, as it’s going to recreate a replica of the file; in different phrases, if you’re making an attempt to get better a 1TB digital arduous disk, it’s possible you’ll nicely want at the least one other 1TB for the outcomes. That is additionally true with among the file restoration instruments (Methodology 5), notably if the grasp file desk (MFT) is corrupt, since in that scenario the device may “get better” enormous recordsdata that don’t really exist.

File varieties and priorities
Shoppers sometimes ask us to get better particular recordsdata (notably Phrase paperwork and PDFs), as they don’t seem to be desirous about anything. If that’s the case, and you do not want any additional knowledge for the investigation as all of the TTPs have been accounted for, it could be extra helpful so that you can run an automatic media file restoration device over the VM, somewhat than doing a full restoration of the entire disk.

In a associated vein, the enterprise’s have to get better the info ought to be weighed in restoration choices. For instance, if the enterprise plans to rebuild the machine, they’ve a working backup of the info, and it’s not essential to the investigation, what’s to be gained by recovering knowledge from it? Does it have to occur? (In all probability not.) A transparent understanding of the enterprise want for restoration of this particular VM results in higher allocation of treasured incident-response assets.

Strategies of extraction: Six strategies

The strategies under cowl a number of methods of making an attempt to extract knowledge from a digital machine. This isn’t an exhaustive checklist, since new strategies and instruments are being developed on a regular basis; researching newer strategies and or instruments is at all times inspired, and we ourselves will probably replace this text as we add strategies to our personal repertoire. With such a wide range of choices accessible, familiarizing your self with the fundamentals of every of those, then making use of that data to the concerns listed above, is probably going the most effective strategy – and one which will get simpler with expertise and observe.

All that stated, although the checklist that follows is just not in a strict order, we propose that Methodology 1 ought to be step one in any tried restoration, for causes that will likely be clear.

Methodology 1:  Simply mount it

A callout box with the following text: Prerequisites for mounting the drive A Windows OS version that has the native Windows mounting tool Third-party mounting tools Imaging tools such as FTK Archiving tool such as 7-Zip Applicability: Windows, LinuxSimply because you could have been informed that the VM is encrypted doesn’t essentially imply that it’s. (Sure, cybercriminals generally lie.) We’ve encountered shoppers who’ve mistakenly thought their recordsdata had been encrypted when, in reality, the attacker had merely modified the file extensions. As well as, now we have seen cases the place attackers’ encryption processes have failed and truly simply renamed the file.

All the time do this technique first because it simply may work — and save a number of time. If it doesn’t succeed, you’ll have misplaced little time and have achieved nothing to impede different strategies of retrieval. If, then again, the strategy succeeds and the drive does mount, you may then entry the file(s) and replica and paste from them as desired. As well as, since you are merely mounting the VM, endpoint safety (that’s, antimalware / antivirus packages) mustn’t detect or take away any malicious recordsdata. This will likely be helpful should you plan to gather samples for labs submission. Some ideas for achievement with this technique:

  • Attempt the 7-Zip GUI archiver; now we have had a number of success with 7-Zip on this scenario
  • Mount the drive
  • If that’s not working, strive FTK or every other third-party mounting device

Methodology 2:  RecuperaBit

A callout box with the following text: Prerequisites for using RecuperaBit RecupraBit downloaded from GitHub Python installed on OS of choice Available storage that is equivalent in size to the VM A ‘sandboxed’ environment / separate device / VM working environment, to avoid potential endpoint-protection detections Applicability: Windows, LinuxRecuperaBit, created by Andrea Lazzarotto, is an automatic device that can rebuild any NTFS partitions that it might discover within the encrypted VM. If it might discover an NTFS partition, it’s going to re-create the folder construction of that partition on the machine getting used for examination. If profitable, you may then entry the file(s) and replica and paste from them as desired from the newly created listing/folder construction.

It’s a python script, so it’s going to work on any OS that helps python3. It’s straightforward to make use of, and only some choices are wanted to get it to rebuild the encrypted VM. Expertise has proven that, on common, you must get a ‘sure’ or ‘no’ as as to whether it might rebuild something of use inside about 20 minutes. After that, if it might handle the rebuild, it’s going to take roughly one other 20 minutes to recreate the partition for you.

It’s necessary to know that operating RecuperaBit will probably set off endpoint-protection detections if ransom.exe or different malicious recordsdata are current. Because of this, should you select to make use of RecuperaBit in conditions the place you hope to get better that executable for additional analaysis you must run it in an atmosphere the place endpoint protections could be safely disabled — therefore the prerequisite of a sandbox.

On the time of this writing, RecuperaBit could be downloaded from GitHub. There’s a person information on the GitHub web page for the device.

Methodology 3: bulk_extractor

Callout box with following text: Prerequisites for using bulk_extractor bulk_extractor downloaded for Windows or Linux A Linux device / WSL/ working VM, if the Linux binary is to be used A ‘sandboxed’ environment / separate device / VM working environment, to avoid potential endpoint-protection detections Applicability: Windows, LinuxBulk_extractor (referred to as bulk-extractor on its kali.org web page, however the identical program in both case) is a free device that runs on Home windows or Linux. It was created by Simson Garfinkel. It could get better system recordsdata reminiscent of Home windows occasion logs (.EVTX) in addition to media recordsdata. This device is automated, so the investigator can begin it and let it run, maybe after hours, in hope it’s going to get better one thing.

It’s doable to configure it for particular file varieties or different artifacts by altering its config file. This may be very helpful to hurry evaluation up in situations the place you’re hoping for fast, targeted, or particular outcomes — for instance, EVTX recordsdata solely — somewhat than making an attempt to get better the entire of the partition.

As with RecuperaBit in Methodology 2, operating bulk_extractor will probably set off endpoint-protection detections if ransom.exe or different malicious recordsdata are current. Because of this, should you select to make use of bulk_extractor in conditions the place you hope to get better that executable for labs submission or comparable evaluation, you must run it in an atmosphere the place endpoint protections could be safely disabled — therefore the above prerequisite of a sandbox.

On the time of this writing, bulk_extractor for Linux could be downloaded from GitHub. There’s a person information on the GitHub web page for the device.

Methodology 4 : EVTXtract

Callout box with following text: Prerequisites for using EVTXtract EVTXtract downloaded from GitHub (click here for link) A Linux device / WSL / working VM Applicability: WindowsThis specialised device searches a block of information (on this case, an encrypted VM) for full or partial .evtx recordsdata. If it finds any, the device pulls them again into their authentic construction, which is XML. That is an automatic device that’s constructed to run on Linux solely.

XML recordsdata are notoriously tough to work with. On this case, the file will include incorrectly embedded EVTX fragments, so anticipate the output to be a bit unwieldly. To make it simpler to evaluate this device’s output, you’ll must therapeutic massage the info. A few ideas for doing this successfully:

  • Try and convert the file to CSV format for simpler viewing
  • Use the grep command to get the result for YYYY-DD-MM (or every other date codecs), event-IDs, key phrases, or recognized IoCS indicating exercise on the day of curiosity

Please be aware that this device, simply because the identify signifies, recovers EVTX recordsdata or fragments solely. If you’re searching for different artifacts, you will have to make use of a unique device.

On the time of this writing, EVTXtract could be downloaded from GitHub. There’s a person information on the GitHub web page for the device.

Methodology 5 : Scalpel, Foremost, or different file-recovery instruments

Callout box with following text: Prerequisites for using Scalpel or Foremost Copy of Scalpel or Foremost (download links in article) A Linux device / WSL / working VM A sandboxed environment / separate device / VM working environment to avoid potential endpoint-protection detections Applicability: Windows, LinuxTurning our consideration from EVTX-recovery instruments to these designed to revive different sorts of recordsdata, Scalpel and Foremost are two of many free file restoration instruments presently accessible. Although each are older tech, the Sophos IR group has had wonderful outcomes with these two in our investigations.

The unique model of Scalpel, launched in 2005, was based mostly on Foremost, and the 2 carving and indexing purposes are comparable in strategy. Each primarily get better media and doc recordsdata, which makes them helpful in case your investigation is searching for paperwork, PDFs, or the like. For both one, the config file could be modified to concentrate on particular file varieties, or be left alone for a fuller (although slower) catch-all effort.

As talked about, neither of those packages retrieves system recordsdata; different instruments will likely be wanted for that work. As well as, recordsdata recovered from these might kick off endpoint-protection detections if any malicious recordsdata are current (as an illustration, malicious PDFs from a phishing marketing campaign). Because of this we advocate that investigators run these instruments in a sandbox atmosphere, the place endpoint safety could be disabled, if such recordsdata have to be preserved for the investigation.

As famous above, each these packages are older expertise, which signifies that restoration of newer filetypes might not be possible with these instruments. Different instruments exist, and the reader is invited to research these, however as simply accessible choices these are each strong performers.

Foremost could be downloaded from GitHub, and there’s a person information on the GitHub web page for the device. It was initially developed by the US Air Pressure Workplace of Particular Investigations and The Heart for Info Programs Safety Research and Analysis. The model on GitHub doesn’t look like actively maintained.

Likewise, on the time of this writing, Scalpel could be downloaded from GitHub. There’s a person information on the GitHub web page for the device. As acknowledged on its GitHub web page, this device is just not actively maintained.

Methodology 6 : Handbook carving of the NTFS partition

Callout box with following text: Prerequisites for manual carving of the NTFS partition A Linux device / WSL / working VM A hex editor such as HxD or xxd A version of the Windows OS that has the native window mounting tool Third-party mounting tools Imaging tools such as FTK Archiving tool such as 7-Zip Available storage that is equivalent in size to the VM Applicability: WindowsIn distinction to the instruments and strategies summarized above, guide carving takes preparation and a few finer understanding of the choices accessible to you. We’ll make some suggestions for learn how to plan your effort, after which stroll you thru the specifics of working with dd, the highly effective Linux utility you’ll use for this work.

(Some background: DD initially stood for “knowledge definition” and is actually considered one of computing’s Elder Gods; it celebrates its 50th anniversary of existence in June 2024. New dd customers are warned that typos could be catastrophic on this utility, incomes it its alternate identify of “disk destroyer”; it has been described as “a Swiss Military knife, however one which’s all blades and no deal with.” It is suggested that investigators familiarize themselves with dd fundamentals earlier than continuing. We additionally recommend typing the dd command right into a textual content editor, ensuring all the pieces is right, after which copying and pasting the command on the command line.)

Correct guide carving requires that investigators set three switches in dd previous to operating the utility – bs (bytes per sector), skip (the offset worth of the NTFS sector you goal to recreate), and depend (the scale of the sector). These calculations aren’t essentially tough, however they do take time and they don’t seem to be elective. This part walks you thru the steps for calculating all three.

As well as, the processing itself is somewhat gradual, probably taking hours to finish accurately. (As talked about above, we typically advocate you begin the guide carving course of on the finish of the working day and go away your machine operating in a single day.) With some observe, nevertheless, the calculation of the swap values might take the investigator only some minutes — and should you calculate the scale of the partition you’ll carve earlier than making an attempt to carve the partition, you scale back the chance of losing time and processing energy. So do this.

Word lastly that this course of is space-intensive, probably taking on the identical quantity of area the VM itself does, since you’re basically copying the VM. For instance, should you’re working with a 100GB VM file, you’ll want one other 100GB plus area wherein to extract the recordsdata you need.

The method has 4 foremost steps:

  1. Analyze the encrypted VM for accessible NTFS partitions
  2. Carve the most important NTFS partition out and into a brand new file
  3. If the newly created file is unbroken sufficient, mount it in Home windows
  4. Extract the artifacts you want

The utility that does the copying, dd, is constructed into Linux. The command is as follows:

sudo dd if= *** of=***.img bs=*** skip=*** depend=*** standing=progress

Once more – and this can’t be emphasised sufficient – dd is solely unforgiving of typos. Proceed with warning. The command and its switches could also be understood as follows:

sudo = Person must have highest privileges for this device

dd = The utility itself

if = Stands for ‘enter file’ — this worth is the trail and file identify of the encrypted VM

of = Stands for ‘output file’ — that is the identify of the recreated partition. Recommended file extension is newfilename.img

bs = The bytes per sector of the partition you’re carving out; this worth should be entered in bytes

skip = The offset worth, in sectors, of the NTFS partition you’re carving out, from the beginning of the disk / VM file

depend = The dimensions of the partition, in sectors, of the NTFS partition you’re carving out

standing = An elective swap to show a progress bar, to see what number of bytes have been duplicated

As talked about above, there are three values you need to calculate and supply for the switches on this command: bs, skip, and depend. The best strategy to work these values out is to make use of a GUI hex editor reminiscent of Maël Hörz’s HxD (which is Home windows freeware), however a command-line device reminiscent of xxd will work if most popular. The display captures under present the steps utilizing HxD.

Switches: Gathering the essential values 

Begin HxD and cargo within the encrypted VM file. Click on the Offset column on the far left to alter it to indicate values in decimal (base10). In HxD that is denoted by the letter D in brackets, as proven in Determine 1.

Screen capture of offset values displayed as base10 numbers

Determine 1: The offset values are actually displayed in decimal numbers

Subsequent, open Knowledge inspector from the View dropdown, as proven in Determine 2.

Screen capture showing an HxD menu

Determine 2: The View dropdown in HxD with the Knowledge inspector possibility chosen

Now discover the potential NTFS partitions. Spotlight the very high left byte, then use the search operate to seek for the next hexadecimal string — versus a decimal string or a textual content string, if such choices can be found.

EB 52 90 4E 54 46 53 20 20 20 20

Take note of which tab is open within the Discover field, as proven in Determine 3.

Screen capture showing a search box with the hex string given above

Determine 3: Searching for the hex string that signifies the beginning of an NTFS sector

The above hexadecimal string is the ‘signature byte’ of a NTFS partition, so this search will discover any potential NTFS partitions you can carve out. There’ll probably be many offered in an inventory, as proven in Determine 4.

Screen capture showing nine potential NTFS partitions that the search found

Determine 4: A fruitful seek for probably salvageable NTFS partitions

When you choose considered one of these outcomes, you may be offered with the header of the NTFS partition within the hex viewer window, as proven in Determine 5.

Screen capture showing the NTFS header, which will be discussed below

Determine 5: The header is proven above the chosen NTFS partition

The header accommodates the essential info you want for the bs, skip, and depend values required within the dd command. Subsequent, we’ll clarify learn how to calculate these three values. You’ll need to do these so as.

 To calculate the bs (bytes per sector) worth

Working from the beginning of the NTFS partition you could have chosen, spotlight the bytes at offset 11 and 12, as proven in Determine 6. The worth proven as Int16 within the knowledge inspector is the worth wanted. On this instance, the bs worth is 512. (This worth will nearly at all times be 512. Nearly.)

Screen capture showing the Int16 value highlighted in Data Inspector

Determine 6: The bytes for the bs worth are highlighted, and the info inspector reveals that the worth is certainly 512

To calculate the skip worth

Now that you’ve the bs worth, calculate the skip worth by dividing the header offset worth by the bs worth. This calculation supplies the sector worth of the place the NTFS partition begins.

As an example, the header offset decimal worth for the NTFS partition highlighted in Determine 7 is 00576716800. (So we’re clear, the next display captures usually are not from the identical partition because the one within the display captures proven above. As predicted above, although, you may see that the bs worth for this NTFS partition — the bytes at offsets 11 and 12 — is as soon as once more 512. )

Screen capture highlighting the base10 offset value to be divided by the bs value to get the skip value

Determine 7: The header offset worth is proven within the inexperienced field

So as to calculate the skip worth, divide that worth by the bs worth (that’s, 512). In different phrases, do the next:

576716800 / 512 = 1126400

1126400 is the skip worth.

To calculate the depend worth

Find and spotlight the eight bytes that begin on the 41st byte from the beginning of the NTFS header. To search out this worth, within the display under, go down two rows from the primary (EB) byte of the header, go throughout to the 08 column, and spotlight the next eight bytes,  as proven in Determine 8.

Screen capture showing the Int64 count value

Determine 8: Discovering the depend worth (highlighted)  

Spotlight the following eight bytes, all the best way to column 15, as proven (so, bytes 41-48). The worth that’s proven in INT64 within the knowledge interpreter is the depend worth – within the determine above, 1995745279. This worth is in sectors, and the above command wants it in sectors, so no conversion is required – be aware the worth and also you’re achieved.

Which partition to decide on?

We stated above that you must select the most important accessible partition to carve out. The depend worth signifies how massive the partition is. If the partition is only some sectors in dimension, it’s probably not price carving out. To extend the probabilities of efficiently carving out the C: drive, the most effective strategy could be to seek out the most important partition within the preliminary checklist of NTFS partitions and carve that one out.

The most important partition ought to be roughly the identical dimension as the general VM file. Nonetheless, the VM file dimension is proven in bytes, whereas the NTFS dimension is proven in whole sectors. To check them, you’ll convert the sector dimension of the partition into bytes to check.

So as to convert the sector dimension of the partition into bytes, multiply the sector dimension (as proven within the knowledge interpreter) by the bs worth. So, utilizing the numbers we discovered within the above examples:

1995745279 x 512 = 1021821582848 bytes (951.64 GB)

Prepared, set…

You now have the three values you require to make use of the dd utility. Enter the wanted values into the dd command, paste the command into dd itself should you adopted our recommendation to do all this in a textual content editor, hit Enter, and dd will carve out the chosen NTFS partition.

When accomplished, mount the brand new file that you just simply carved. You must then be capable of get better what you want. If the drive doesn’t mount, strive 7-Zip (or different archiving instruments), different mounting instruments, or FTK.

To recap, Determine 9 reveals an annotated diagram of the NTFS header and the place the values are positioned.

Screen capture showing all the parts of the NTFS header we just covered

Determine 9: A colourful have a look at an NTFS header (depend worth is marked as “whole sectors in file system”)


As soon as extra, we warning the reader that outcomes usually are not assured; the most effective technique of retrieving knowledge encrypted in an assault is to drag a replica from a clear, unaffected backup. Nonetheless, these strategies might assist the investigating group claw again knowledge in conditions the place there’s no different alternative.

When is it time to surrender? Sadly, knowledge can not at all times be recovered totally, partly, and even in any respect. Anticipate outcomes to differ, generally for no purpose that may be decided. It’s as much as you, in session with the enterprise stakeholder, to determine when to stroll away from the method.


The authors want to thank the creators of the software program talked about above. The editor needs to thank Jonathan Espenschied for the Swiss-Military-knife-with-no-handle description of dd. Some info on this article was initially offered as a part of CyberUK in Might 2024.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments