Hello Guys
I got a client who had his system encrypted by ransomware. His system is running in a raid setup.
I am wondering when a file is encrypted, does it take the orignal and encrypt it, thereby creating a new file, in which case it is possible to carve the orignal file or is that not possible ?
i was thinking of using FTK imager to do live capture.
Thanks and take care
Kitty.
Not answerable in this form. What exactly ransomware was in use?
I got a client who had his system encrypted by ransomware. His system is running in a raid setup.
I am wondering when a file is encrypted, does it take the orignal and encrypt it, thereby creating a new file, in which case it is possible to carve the orignal file or is that not possible ?
Surprisingly, i depends on the specific exact ransomware, including the specific exact variant.
Some ransomware was badly coded (and partial data can be recovered the way you suggested ), some other ransomware has been badly coded and decrypting keys can be calculated (thus recovering ALL the data), most is unfortunately "well" coded and there are no known ways to recover data.
jaclaz
Surprisingly, i depends on the specific exact ransomware, including the specific exact variant.
Some ransomware was badly coded (and partial data can be recovered the way you suggested ), some other ransomware has been badly coded and decrypting keys can be calculated (thus recovering ALL the data), most is unfortunately "well" coded and there are no known ways to recover data.
jaclaz
thank you for the reply, i am doing live capture now.
thank you for the reply, i am doing live capture now.
Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.
best regards,
Robin
Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.
best regards,
Robin
I never thought of that, thank you for that info.
Should I Volatility to analyze the memory or are there other options availble to me ?
Do not forget to capture the memory! It may contain the encryption key! So if everything is encrypted on the disc, this key might rescue the data.
I never thought of that, thank you for that info.
Should I Volatility to analyze the memory or are there other options availble to me ?
You are welcome. If an encryption key is really held in memory, depends on the version of ransomware. If you capture the memory and image the hard drive, you have done everything you can do NOW in this "Evidence Collection Phase". This might be enough to rescue the data…but it is still possible that all those files are lost and there is nothing unencrypted, which could help you.
Try to identify the kind of ransomware and its "specifications". Even if you cant rescue anything, you might be able to this in a few months when the FBI has arrested those criminals. So put the disc into a shelf and do not install a new Windows OS on it.
Good hunting!
Try