Forensic Science International: Digital Investigation
release_mwj6q3i5erhkrgvb6nfvc2jjbq
by
Simon R. Davies, Richard Macfarlane, William J. Buchanan
2020
Abstract
Memory was captured from a system infected by ransomware and its contents was
examined using live forensic tools, with the intent of identifying the
symmetric encryption keys being used. NotPetya, Bad Rabbit and Phobos hybrid
ransomware samples were tested during the investigation. If keys were
discovered, the following two steps were also performed. Firstly, a timeline
was manually created by combining data from multiple sources to illustrate the
ransomware's behaviour as well as showing when the encryption keys were present
in memory and how long they remained there. Secondly, an attempt was made to
decrypt the files encrypted by the ransomware using the found keys. In all
cases, the investigation was able to confirm that it was possible to identify
the encryption keys used. A description of how these found keys were then used
to successfully decrypt files that had been encrypted during the execution of
the ransomware is also given. The resulting generated timelines provided a
excellent way to visualise the behaviour of the ransomware and the encryption
key management practices it employed, and from a forensic investigation and
possible mitigation point of view, when the encryption keys are in memory.
In text/plain
format
Archived Content
There are no accessible files associated with this release. You could check other releases for this work for an accessible version.
Know of a fulltext copy of on the public web? Submit a URL and we will archive it
2012.08487v1
access all versions, variants, and formats of this works (eg, pre-prints)