Forensic analysis o...
 
Notifications
Clear all

Forensic analysis of a ramnsware attack

15 Posts
6 Users
0 Likes
1,347 Views
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Hi everyone,
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

 
Posted : 21/08/2019 7:43 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

I think you're conflating two issues.

1) To what extent are files affected by ransomware able to be recovered with data recovery tools?
2) Which data recovery or file carving tool is most effective?

 
Posted : 22/08/2019 12:36 am
(@athulin)
Posts: 1156
Noble Member
 

I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Thesis to me is a serious piece of scientific study. However, the term seems to be used for other purposes. If this is one of those, I'm not interested. I'm assuming it isn't.

Any ransomware attack software? Or only one? Or some subset? How is a ransomware attack – in the perspective of this study – different from a 'rename to random file names and delete'? I.e. what components of the ransomware attack are relevant for your study?

Where is the limits of 'possibility'? And what are the criteria for 'recover'? Only file contents? Or file contents as well as metadata?
Only one file out of … 50000? 50%? Are there factors that are independent of the 'ransomware' that affect recovery rate? How much will your study be affected by them?

What do you want to be able to conclude? Yes it is possible, under a lot of assumptions? (Not a useful scientific result, that). Yes, at least 75% files can always be recovered? (Raises some questions …) Or something along those lines?

You should have a thesis advisor, who understands the scope and goals of the thesis in general. That's the right person to discuss such details with.

As far as I know, WannaCry encrypted files, and offered decryption for payment. If you're looking for remains of original files, you're basically doing a study of file carving, and the ransomware component does not seem to be entirely relevant (at least as far as I can see from your overview).

Or, you are doing a study of a particular family of ransomware, and how they try to make original file content inaccessible. Of course, if they overwrite files … file carving is not likely to be effective.

Before you decide, do a preliminary literature study who has already looked into this? How would your study differ from theirs? (If not at all, … there's little reason to do a new study. It may be worthwhile to repeat it, but that's a slightly different approach.)

 
Posted : 22/08/2019 5:22 am
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Thesis to me is a serious piece of scientific study. However, the term seems to be used for other purposes. If this is one of those, I'm not interested. I'm assuming it isn't.

Any ransomware attack software? Or only one? Or some subset? How is a ransomware attack – in the perspective of this study – different from a 'rename to random file names and delete'? I.e. what components of the ransomware attack are relevant for your study?

Where is the limits of 'possibility'? And what are the criteria for 'recover'? Only file contents? Or file contents as well as metadata?
Only one file out of … 50000? 50%? Are there factors that are independent of the 'ransomware' that affect recovery rate? How much will your study be affected by them?

What do you want to be able to conclude? Yes it is possible, under a lot of assumptions? (Not a useful scientific result, that). Yes, at least 75% files can always be recovered? (Raises some questions …) Or something along those lines?

You should have a thesis advisor, who understands the scope and goals of the thesis in general. That's the right person to discuss such details with.

As far as I know, WannaCry encrypted files, and offered decryption for payment. If you're looking for remains of original files, you're basically doing a study of file carving, and the ransomware component does not seem to be entirely relevant (at least as far as I can see from your overview).

Or, you are doing a study of a particular family of ransomware, and how they try to make original file content inaccessible. Of course, if they overwrite files … file carving is not likely to be effective.

Before you decide, do a preliminary literature study who has already looked into this? How would your study differ from theirs? (If not at all, … there's little reason to do a new study. It may be worthwhile to repeat it, but that's a slightly different approach.)

My purpose is to examine a set of ransomware and test the effectiveness of recovery tools.
I haven't found anything in the literature about it.
The aim of the thesis is therefore to understand if it is possible to recover files after a ransomware attack and study their evolution.
I want to recover the contents of the file.
I give an example. I have a set of photos, pdf files, word files and I want to recover them if I get infected with a ranmsoware.

 
Posted : 22/08/2019 8:20 am
(@trewmte)
Posts: 1877
Noble Member
 

Hi everyone,
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Is that examination post-exploit (held to ransom) or post-release (ransom paid or alternative method of release found)?

Are you examining disc memory or RAM or both?

 
Posted : 22/08/2019 8:52 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In layman's terms
1) a ransomware encrypts files with a given encryption engine and with a given password, usually only a subset of document files are encrypted (i.e. by extension for example, .doc, .docx, .xls, .xlsx, .pdf, etcetera).
2) a ransomware may have vulnerabiilities that can be leveraged to either derive the password used or decrypt the encrypted files with another password/using a different algorithm
3) a ransomware may zero out the original file or simply delete it, in this latter case some (most often partial or very partial) recovery (of the original, non-encrypted file) is possible

Specifically for Wannacry, some decrypting tools are available
https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

https://github.com/aguinet/wannakey

https://github.com/gentilkiwi/wanakiwi/releases

though they only work in some speciific cases and with spoecific versions of the ransomware.

If the specific ransomware (and/or the "right" conditions are not met) is not supported by one of the available tools, the files are NOT decryptable and it is way over the capabilities of a bachelor's degree student (without - besides the UNI formation - years of experience in cryptography and programming) to write such a decrypting program.

If it is the case #3 above, as athulin suggested, there is very little connected to the actual ransomware, and everything revolves around recovering deleted files/ filesystem carving and similar, in itself nothing particularly "new" or (IMHO) with the relevance to be object of a thesis.

At the most you will be able to compile a list of exact versions of various ransomwares that in your experiments do behave as described in #3, but the amount of recoverable/recovered files will depend on a wide number of other factors (OS. filesystem used, actual use of the specific machine and of its storage units and *what not*) so that your results won't likely be reliable/repeatable in different setups.

jaclaz

jaclaz

 
Posted : 22/08/2019 10:48 am
(@athulin)
Posts: 1156
Noble Member
 

My purpose is to examine a set of ransomware and test the effectiveness of recovery tools.
I haven't found anything in the literature about it.
The aim of the thesis is therefore to understand if it is possible to recover files after a ransomware attack and study their evolution.
I want to recover the contents of the file.
I give an example. I have a set of photos, pdf files, word files and I want to recover them if I get infected with a ranmsoware.

That sounds like investigating a) does the strain of ransomware leave any original contents on the disk? (that question alone seems to me like a useful minor thesis, if it covers multiple types of known ransomware), b) how much original content remains? (Easy to do, by having each individual sector-/cluster-size data identify itself, and then look for those signatures. Alternatively, sector-hash existing content, and check post-factum sector hashes with pre-infection data.)

 
Posted : 22/08/2019 10:50 am
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Is that examination post-exploit (held to ransom) or post-release (ransom paid or alternative method of release found)?

Are you examining disc memory or RAM or both?

Post-exploit and only disc memory for my thesis.

That sounds like investigating a) does the strain of ransomware leave any original contents on the disk? (that question alone seems to me like a useful minor thesis, if it covers multiple types of known ransomware), b) how much original content remains? (Easy to do, by having each individual sector-/cluster-size data identify itself, and then look for those signatures. Alternatively, sector-hash existing content, and check post-factum sector hashes with pre-infection data.)

This is my idea of thesis.
A file is stored using clusters.
When a file is deleted, those sectors remain unallocated, but there are still traces of that file until they are overwritten.

The ranswomware what it does it reads the original file and creates an encrypted copy. Finally delete the original file. However, the original file may still be present on the disk. So if you immediately use these tools, you could recover files.

So in my thesis I will make a list with the statistics of the recovered files.
Then there will be a chapter where we will discuss defense strategies to avoid losing data (backup, etc.).

Do you think it is a useless thesis? My professor seemed excited about this kind of work.

 
Posted : 22/08/2019 2:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It is not "useless", it is IMHO very "narrow" (as AFAIK only some, not all ransomwares behave like that) and (still IMHO) very "vague", as said the issue is that the ransomware - by design - operates while the system is in use, so any results you will get will depend on the use of the computer while and after the ransomware started.

What you will get is some percentage (let's call it "probabilities") data of recoverability on an "idle" system.

What if the system is
1) a workstation
2) a network server
3) a mail server
4) etc.

How will the actual usage affect recoverability?

Is there a difference between a server with 42 clients connected and a self-standing workstation?

Is there a difference between a workstation concurrently running (say) Word to write a letter and one concurrently running (still say) Photoshop to retouch large images?

What will happen if (Vista +) the automatic (weekly) disk defrag/optimization kicks in?

What will happen if an automatic update (for the sake of the reasoning Windows 10) starts?

jaclaz

 
Posted : 22/08/2019 3:06 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

What will happen if (Vista +) the automatic (weekly) disk defrag/optimization kicks in?

What will happen if an automatic update (for the sake of the reasoning Windows 10) starts?

jaclaz

Exactly. The premise is that the right precautions are immediately put in place before defragmentation begins.
The same applies to SSDs, which have the TRIM command. If TRIM is executed then all data will be lost.
Thus, this procedure will only be successful if it is done immediately.
In fact I will write this in the premises of the thesis.

 
Posted : 22/08/2019 4:34 pm
Page 1 / 2
Share: