±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forensic analysis of a ramnsware attack

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Ibernato
Member
 

Forensic analysis of a ramnsware attack

Post Posted: Aug 21, 19 19:43

Hi everyone,
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?  
 
  

tracedf
Senior Member
 

Re: Forensic analysis of a ramnsware attack

Post Posted: Aug 22, 19 00:36

I think you're conflating two issues.

1) To what extent are files affected by ransomware able to be recovered with data recovery tools?
2) Which data recovery or file carving tool is most effective?  
 
  

athulin
Senior Member
 

Re: Forensic analysis of a ramnsware attack

Post Posted: Aug 22, 19 05:22

- Ibernato
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?


Thesis to me is a serious piece of scientific study. However, the term seems to be used for other purposes. If this is one of those, I'm not interested. I'm assuming it isn't.

Any ransomware attack software? Or only one? Or some subset? How is a ransomware attack -- in the perspective of this study -- different from a 'rename to random file names and delete'? I.e. what components of the ransomware attack are relevant for your study?

Where is the limits of 'possibility'? And what are the criteria for 'recover'? Only file contents? Or file contents as well as metadata?
Only one file out of ... 50000? 50%? Are there factors that are independent of the 'ransomware' that affect recovery rate? How much will your study be affected by them?

What do you want to be able to conclude? Yes it is possible, under a lot of assumptions? (Not a useful scientific result, that). Yes, at least 75% files can always be recovered? (Raises some questions ...) Or something along those lines?

You should have a thesis advisor, who understands the scope and goals of the thesis in general. That's the right person to discuss such details with.

As far as I know, WannaCry encrypted files, and offered decryption for payment. If you're looking for remains of original files, you're basically doing a study of file carving, and the ransomware component does not seem to be entirely relevant (at least as far as I can see from your overview).

Or, you are doing a study of a particular family of ransomware, and how they try to make original file content inaccessible. Of course, if they overwrite files ... file carving is not likely to be effective.

Before you decide, do a preliminary literature study: who has already looked into this? How would your study differ from theirs? (If not at all, ... there's little reason to do a new study. It may be worthwhile to repeat it, but that's a slightly different approach.)  
 
  

Ibernato
Member
 

Re: Forensic analysis of a ramnsware attack

Post Posted: Aug 22, 19 08:20

- athulin
- Ibernato
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?


Thesis to me is a serious piece of scientific study. However, the term seems to be used for other purposes. If this is one of those, I'm not interested. I'm assuming it isn't.

Any ransomware attack software? Or only one? Or some subset? How is a ransomware attack -- in the perspective of this study -- different from a 'rename to random file names and delete'? I.e. what components of the ransomware attack are relevant for your study?

Where is the limits of 'possibility'? And what are the criteria for 'recover'? Only file contents? Or file contents as well as metadata?
Only one file out of ... 50000? 50%? Are there factors that are independent of the 'ransomware' that affect recovery rate? How much will your study be affected by them?

What do you want to be able to conclude? Yes it is possible, under a lot of assumptions? (Not a useful scientific result, that). Yes, at least 75% files can always be recovered? (Raises some questions ...) Or something along those lines?

You should have a thesis advisor, who understands the scope and goals of the thesis in general. That's the right person to discuss such details with.

As far as I know, WannaCry encrypted files, and offered decryption for payment. If you're looking for remains of original files, you're basically doing a study of file carving, and the ransomware component does not seem to be entirely relevant (at least as far as I can see from your overview).

Or, you are doing a study of a particular family of ransomware, and how they try to make original file content inaccessible. Of course, if they overwrite files ... file carving is not likely to be effective.

Before you decide, do a preliminary literature study: who has already looked into this? How would your study differ from theirs? (If not at all, ... there's little reason to do a new study. It may be worthwhile to repeat it, but that's a slightly different approach.)


My purpose is to examine a set of ransomware and test the effectiveness of recovery tools.
I haven't found anything in the literature about it.
The aim of the thesis is therefore to understand if it is possible to recover files after a ransomware attack and study their evolution.
I want to recover the contents of the file.
I give an example. I have a set of photos, pdf files, word files and I want to recover them if I get infected with a ranmsoware.  
 
  

trewmte
Senior Member
 

Re: Forensic analysis of a ramnsware attack

Post Posted: Aug 22, 19 08:52

- Ibernato
Hi everyone,
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?


Is that examination post-exploit (held to ransom) or post-release (ransom paid or alternative method of release found)?

Are you examining disc memory or RAM or both?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

jaclaz
Senior Member
 

Re: Forensic analysis of a ramnsware attack

Post Posted: Aug 22, 19 10:48

In layman's terms:
1) a ransomware encrypts files with a given encryption engine and with a given password, usually only a subset of document files are encrypted (i.e. by extension for example, .doc, .docx, .xls, .xlsx, .pdf, etcetera).
2) a ransomware may have vulnerabiilities that can be leveraged to either derive the password used or decrypt the encrypted files with another password/using a different algorithm
3) a ransomware may zero out the original file or simply delete it, in this latter case some (most often partial or very partial) recovery (of the original, non-encrypted file) is possible

Specifically for Wannacry, some decrypting tools are available:
success.trendmicro.com...-decryptor

github.com/aguinet/wannakey

github.com/gentilkiwi/...i/releases

though they only work in some speciific cases and with spoecific versions of the ransomware.

If the specific ransomware (and/or the "right" conditions are not met) is not supported by one of the available tools, the files are NOT decryptable and it is way over the capabilities of a bachelor's degree student (without - besides the UNI formation - years of experience in cryptography and programming) to write such a decrypting program.

If it is the case #3 above, as athulin suggested, there is very little connected to the actual ransomware, and everything revolves around recovering deleted files/ filesystem carving and similar, in itself nothing particularly "new" or (IMHO) with the relevance to be object of a thesis.

At the most you will be able to compile a list of exact versions of various ransomwares that in your experiments do behave as described in #3, but the amount of recoverable/recovered files will depend on a wide number of other factors (OS. filesystem used, actual use of the specific machine and of its storage units and *what not*) so that your results won't likely be reliable/repeatable in different setups.

jaclaz

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: Forensic analysis of a ramnsware attack

Post Posted: Aug 22, 19 10:50

- Ibernato

My purpose is to examine a set of ransomware and test the effectiveness of recovery tools.
I haven't found anything in the literature about it.
The aim of the thesis is therefore to understand if it is possible to recover files after a ransomware attack and study their evolution.
I want to recover the contents of the file.
I give an example. I have a set of photos, pdf files, word files and I want to recover them if I get infected with a ranmsoware.


That sounds like investigating: a) does the strain of ransomware leave any original contents on the disk? (that question alone seems to me like a useful minor thesis, if it covers multiple types of known ransomware), b) how much original content remains? (Easy to do, by having each individual sector-/cluster-size data identify itself, and then look for those signatures. Alternatively, sector-hash existing content, and check post-factum sector hashes with pre-infection data.)  
 

Page 1 of 3
Page 1, 2, 3  Next