Forensic analysis o...
 
Notifications
Clear all

Forensic analysis of a ransomware attack

15 Posts
4 Users
0 Likes
2,318 Views
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Hi everyone,
I'm using the virtualbox virtual machine on which I installed windows 7. Then I download a ransomware and ran it. All right.
Now I would like to examine the file with tools for forensic analysis.
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
FTK I run it on the real machine and not on a virtual machine.

 
Posted : 19/07/2019 5:50 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi everyone,
I'm using the virtualbox virtual machine on which I installed windows 7. Then I download a ransomware and ran it. All right.
Now I would like to examine the file with tools for forensic analysis.
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
FTK I run it on the real machine and not on a virtual machine.

Which file? The disk image (vhd or vmdk or *whatever* you used as the backing file for the install of 7 in Virtualbox?)

What do you mean "convert" with FTK?

You mean FTK imager, right?

Generally speaking, *some* risk with ransomware (and viruses, etc.) is always present, and anyway a forensic machine should be in theory
1) air-gapped
2) freshly installed/reimaged from a verified install
3) have no access to *any* important data

besides to avoid the possibility that the ransomware/virus/whatever may damage the machine or its contents or contents accessible form the machine, also to guarantee (as much as possible) the integrity of the image/files under exam and the reliability of the findings of the investigation.

More specifically with ransomware, as long as you do not execute any of the executable (or scripts, etc.) on the "infected" machine you are safe, still some caution is needed for the settings of the forensic machine, only as an example autoplay should be disabled, i.e. the OS should be either "throwaway" (or "volatile", like a PE or an OS in a ramdisk) or "hardened", see also

https://www.forensicfocus.com/Forums/viewtopic/t=13232/

jaclaz

 
Posted : 19/07/2019 7:12 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Hi everyone,
I'm using the virtualbox virtual machine on which I installed windows 7. Then I download a ransomware and ran it. All right.
Now I would like to examine the file with tools for forensic analysis.
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
FTK I run it on the real machine and not on a virtual machine.

Which file? The disk image (vhd or vmdk or *whatever* you used as the backing file for the install of 7 in Virtualbox?)

What do you mean "convert" with FTK?

You mean FTK imager, right?

Generally speaking, *some* risk with ransomware (and viruses, etc.) is always present, and anyway a forensic machine should be in theory
1) air-gapped
2) freshly installed/reimaged from a verified install
3) have no access to *any* important data

besides to avoid the possibility that the ransomware/virus/whatever may damage the machine or its contents or contents accessible form the machine, also to guarantee (as much as possible) the integrity of the image/files under exam and the reliability of the findings of the investigation.

More specifically with ransomware, as long as you do not execute any of the executable (or scripts, etc.) on the "infected" machine you are safe, still some caution is needed for the settings of the forensic machine, only as an example autoplay should be disabled, i.e. the OS should be either "throwaway" (or "volatile", like a PE or an OS in a ramdisk) or "hardened", see also

https://www.forensicfocus.com/Forums/viewtopic/t=13232/

jaclaz

Hello,
yes FTK imager.
I ran the ransowmare on the virtual windows 7 machine and the files were encrypted. The host system was not infected.
Now I want to examine the vmdk file with foremost, scalpel, etc., to see if we can recover the files.

With foremost can I examine the vmdk file or should I convert it to the dd format?

FTK imager is installed on the real machine and what I wanted to know is if I convert the vmdk file with FTK imager, is there the risk of infecting the real machine?

 
Posted : 19/07/2019 8:22 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I want to examine the vmdk file with foremost, scalpel, etc., to see if we can recover the files.

Wow! You are genius!!! lol

You can use GEMU-IMG for converting the virtual drive to the RAW image.

OR you can use Belkasoft for carving files from the virtual drive.

 
Posted : 19/07/2019 10:36 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

I want to examine the vmdk file with foremost, scalpel, etc., to see if we can recover the files.

Wow! You are genius!!! lol

Are you ironic? lol

 
Posted : 20/07/2019 8:29 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

With foremost can I examine the vmdk file or should I convert it to the dd format?

A good question would be which specific .vmdk format?

Hint
My (old) virtualbox uses generally a particular format of vmdk called "monolithicFlat" that is actually two files, one very small (typically less than 1 KB) and another one as large as the virtual disk inside the VBox.
Maybe your version uses the same .vmdk format.

IF there are actually two .vmdk files, if I were you I would try opening the very small one with Notepad.
Then, check this
https://www.forensicfocus.com/Forums/viewtopic/t=15861/

As a side note, there is no such thing as "dd format", the essence of a file created with dd is that it is RAW, i.e. it has NO format.

Anyway FTK can "convert" a .vmdk to dd/RAW just fine
https://www.youtube.com/watch?v=gIZuuq9lswA

No, no risks in the "conversion".

jaclaz

 
Posted : 20/07/2019 10:43 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?

I guess the real question is, when you say "convert", what do you mean?

If the VM is a .vmdk file, there is no need to convert anything…the image will open just fine in FTK Imager.

Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?

 
Posted : 20/07/2019 10:44 am
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?

I guess the real question is, when you say "convert", what do you mean?

If the VM is a .vmdk file, there is no need to convert anything…the image will open just fine in FTK Imager.

Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?

Convert the file from vmdk to raw.

I have to examine the vmdk file in KaliLinux with the foremost tools, scalpel, etc., to see if I can recover the files.
It is for a purpose of university thesis.

So I need to be able to pass the vmdk file to KaliLinux so that the tools mentioned can examine the disk image.

Do you understand?

 
Posted : 20/07/2019 10:58 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Do you understand?

Rest assured the matter is clear, and BTW I already posted the answers to your questions, but you missed answering to the actual questions by keydet89

Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?

jaclaz

 
Posted : 20/07/2019 12:26 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Rest assured the matter is clear, and BTW I already posted the answers to your questions, but you missed answering to the actual questions by keydet89

Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?

jaclaz

My doubt is, if I open the vmdk file with ftk imager, is there a risk that the real system may become infected with the opening?
The ransomware process is activated at every startup.

 
Posted : 20/07/2019 1:14 pm
Page 1 / 2
Share: