How to get data inside the encrypted file?
I'm not sure what I'm writing in the right section, but I didn't find it more relevant.
Background I'm doing DFIR CTF and I need to get the data inside a file that was encrypted by the ransomware (there are no any decrypted tools for my ransomware).
I have a .dmp image and pcap. I'm new to forensics and I'm learning on the go, maybe I missed something.
1) tried to dump my file before it was encypted, but without luck, maybe the txt file was not used by any process during incident or maybe I can try another tool? Because I used a volatility and I found that there are issues with dumpfiles plugin. What another tool I can try?
2) dumped all files that were stored in memory;
3) carved all files via foremost;
4) tried to find any useful information via HxD by searching the file name;
5) I know that my file before it was encrypted was in zip archive, maybe that's where I need to go? Maybe I need to recover the archive, but as I understand dmp is more like memory.
6) tried to find solution how I can see content of lnk file before it was encrypted, but I didn't find how I can do it.
7) tried to find useful information in register dump.
I don't need this data in my investigation, but I dumped all files from pcap and I couldn't find anything worthwhile except the ransomware file;
I have no idea what else I can try to do.
Not my strong suite, but have you checked out https://www.nomoreransom.org/ ?
Which is a join effort between law enforcement and It-companies to battle Ransome ware.
So it might give you a pointer or something like that P
Nope, to be honest I forgot about that site. heh.
Anyway, I did the CTF task )
I found in the memory via hex the text.
Some types of ransomware only do partial encryption, to save time I guess and spread as fast as possible. Example is the 'popular' STOP/DJVU ransomware family. I discovered by accident after repairing a JPEG, which was as I later learned a victim of some STOP DJVU variant. So for example here's extraction and repair of a corrupt embedded JPEG from a canon raw (CR2) that was affected by STOP/DJVU: https://youtu.be/X5CZRg5ZB6M
Figured it might be possible to make some media playable affected by this ransomware too and tested with a hex editor. When that appeared to work wrote a small too that can make some media types playable: https://youtu.be/3AKJ27sZ9_E