Extracting information from encrypted digital disks: six strategies – Cyber Tech

This text explains numerous methods and available instruments for extracting information from an encrypted digital disk. For incident-response conditions through which your complete digital disk has been encrypted, these instruments and methods could – could – allow the investigating workforce to retrieve information from the encrypted system.

Efforts to extract information from encrypted digital disks can doubtlessly result in a number of optimistic outcomes: recovering buyer information that’s irretrievable through customary strategies, serving to rebuild virtualized buyer infrastructure that has been compromised, and / or enriching an incident investigation timeline. To date, we’ve used these methods efficiently in DFIR investigations involving the LockBit, Faust / Phobos, Rhysida, and Akira ransomware teams.

We’ll say this in the beginning of the article and we’ll say it once more on the finish: Outcomes usually are not assured. No data-extraction methodology in existence is for certain to yield full information from an encrypted VM. We may even spotlight that whereas these strategies have seen fairly a excessive success price in extracting forensic information that’s invaluable for the investigation (akin to occasion logs, registry forensics, and the like), the success price of retrieving information that can be utilized as a part of the restoration strategy of manufacturing techniques, akin to databases, is far decrease.

We strongly suggest that any restoration makes an attempt must be carried out on “working copies” and never the originals, lest the makes an attempt trigger unintended additional harm to the units.

Within the subsequent part we’ll focus on through which conditions retrieval could also be doable and to what extent. After that, we’ll listing some elements to consider as you choose which strategies you’ll try. Lastly, we’ll have a look at every methodology, itemizing the stipulations (the instruments required to aim the strategy; all are required) and flagging different issues. Within the dialogue of essentially the most labor-intensive methodology, we’ll stroll by way of the main points of the method. On this article, references to “digital disks,” “VM’s,” or “disk pictures” all confer with the identical factor and will be any picture of a disk akin to VHD, VHDX, VMDK, RAW, and so forth. All six methods apply to Home windows; just a few additionally may fit on Linux, and we’ll word these in every case.

What’s file / disk encryption?

When ransomware encrypts a digital disk (or any file), the information has been basically randomized, rendering the file unreadable by the working system. Probably the most well-known methodology of decrypting a file (returning the file to its unique, readable state) is through a decryptor, a software program device or program designed to reverse the method of encryption, making encrypted information readable once more.

In ransomware assaults, the decryptor is created and managed by the risk actor. In these conditions, except the ransom is paid or the decryptor turns into publicly accessible, different strategies of knowledge restoration should be thought-about.

Ransomware binaries prioritize velocity over thorough encryption. Encrypting complete information could be too time-consuming, so the attackers purpose to inflict most harm swiftly, minimizing the window for intervention. Consequently, whereas smaller information like paperwork are normally absolutely encrypted, bigger ones akin to digital disks could have vital parts left unencrypted. This gives investigators with alternatives to make use of numerous methods for extracting info from these digital disks.

Which methodology to make use of: Concerns

There are a number of strategies that can be utilized when seeking to extract information from an encrypted Home windows VM. (Just a few of those methods are relevant to Linux restoration makes an attempt as effectively, and we’ll point out these.) On this article we’ll cowl six:

Which to attempt first? The next six issues could assist you to decide which methodology is suitable.

File measurement
Expertise has proven that the bigger the dimensions of the digital disk, the better the possibility of profitable restoration. For Home windows machines, that is largely as a result of most VMs could have a number of partitions, normally three — restoration, boot, and the C: (user-visible) partition. (For this text, let’s assume the drive is mapped to the same old C:.) The primary two partitions maintain little information of use for an incident investigation, however as a result of encryption generally encrypts the primary few bytes of the VM, solely these partitions find yourself encrypted.

This, due to this fact, typically leaves the C: partition, the place buyer information and potential forensic information is housed, untouched. This can assist investigators to rebuild a compromised digital machine and enrich an incident investigation.

Conversely, if the VM file is comparatively small, the chance of recovering information is lessened. Nevertheless, there nonetheless could also be a possibility to reap occasion logs or registry hives.

Instruments
As with all different downside in incident response, there exist a number of strategies and instruments for tackling the identical situation. Some instruments could carry out higher than others relying on the kind of encryption. It’s value attempting a number of instruments to get the consequence you want in case your first try fails or solely partially works.

It’s also vital to notice that instruments do cease getting up to date and / or supported, so take into account in search of further instruments not talked about on this information. The instruments that we’re utilizing are third-party instruments, or in some circumstances instruments which are already a part of Home windows or Linux (this consists of Home windows Subsystem for Linux [WSL]). All through this text and in our on a regular basis investigations, we acknowledge the good contribution the creators of these instruments have made to protection efforts, particularly in these circumstances through which the instruments weren’t designed with encryption in thoughts.

Time
The time accessible to finish the duty is one thing value contemplating; the {hardware} / tools you’ve accessible could play a component on this. As an example, guide carving (Technique 6) is one accessible choice, however this will take a very long time; particularly, it may require numerous processor energy, which might decelerate your machine in the course of the course of. This might result in you not having the ability to use the machine you’re utilizing for forensic examination for different every day duties while this course of completes. (Due to this, if it’s not time-sensitive, we suggest you begin the guide carving course of in direction of the tip of the working day and depart your machine operating in a single day.) Completely different options take various quantities of time and this must be thought-about.

Storage
Obtainable cupboard space must be factored into your determination. Guide carving, for example, can require fairly a little bit of cupboard space, as it’ll recreate a duplicate of the file; in different phrases, in case you are attempting to recuperate a 1TB digital exhausting disk, it’s possible you’ll effectively want no less than one other 1TB for the outcomes. That is additionally true with a few of the file restoration instruments (Technique 5), notably if the grasp file desk (MFT) is corrupt, since in that state of affairs the device might “recuperate” big information that don’t truly exist.

File sorts and priorities
Shoppers often ask us to recuperate particular information (notably Phrase paperwork and PDFs), as they aren’t enthusiastic about anything. If that’s the case, and you don’t want any additional information for the investigation as all of the TTPs have been accounted for, it might be extra helpful so that you can run an automatic media file restoration device over the VM, relatively than doing a full restoration of the entire disk.

Want
In a associated vein, the enterprise’s have to recuperate the information must be weighed in restoration choices. For instance, if the enterprise plans to rebuild the machine, they’ve a working backup of the information, and it’s not essential to the investigation, what’s to be gained by recovering information from it? Does it have to occur? (In all probability not.) A transparent understanding of the enterprise want for restoration of this particular VM results in higher allocation of treasured incident-response assets.

Strategies of extraction: Six methods

The strategies under cowl a number of methods of trying to extract information from a digital machine. This isn’t an exhaustive listing, since new strategies and instruments are being developed on a regular basis; researching newer methods and or instruments is all the time inspired, and we ourselves will doubtless replace this text as we add methods to our personal repertoire. With such a wide range of choices accessible, familiarizing your self with the fundamentals of every of those, then making use of that information to the issues listed above, is probably going the perfect strategy – and one which will get simpler with expertise and follow.

All that mentioned, although the listing that follows just isn’t in a strict order, we recommend that Technique 1 must be step one in any tried restoration, for causes that shall be clear.

Technique 1:  Simply mount it

Simply because you’ve been instructed that the VM is encrypted doesn’t essentially imply that it’s. (Sure, cybercriminals generally lie.) We’ve encountered purchasers who’ve mistakenly thought their information have been encrypted when, the truth is, the attacker had merely modified the file extensions. As well as, we have now seen cases the place attackers’ encryption processes have failed and truly simply renamed the file.

All the time do that methodology first because it simply would possibly work — and save numerous time. If it doesn’t succeed, you’ll have misplaced little time and have achieved nothing to impede different strategies of retrieval. If, alternatively, the strategy succeeds and the drive does mount, you may then entry the file(s) and duplicate and paste from them as desired. As well as, since you are merely mounting the VM, endpoint safety (that’s, antimalware / antivirus packages) shouldn’t detect or take away any malicious information. This shall be helpful should you plan to gather samples for labs submission. Some ideas for fulfillment with this methodology:

Technique 2:  RecuperaBit

RecuperaBit, created by Andrea Lazzarotto, is an automatic device that can rebuild any NTFS partitions that it may discover within the encrypted VM. If it may discover an NTFS partition, it’ll re-create the folder construction of that partition on the machine getting used for examination. If profitable, you may then entry the file(s) and duplicate and paste from them as desired from the newly created listing/folder construction.

It’s a python script, so it’ll work on any OS that helps python3. It’s simple to make use of, and only some choices are wanted to get it to rebuild the encrypted VM. Expertise has proven that, on common, you must get a ‘sure’ or ‘no’ as as to if it may rebuild something of use inside about 20 minutes. After that, if it may handle the rebuild, it’ll take roughly one other 20 minutes to recreate the partition for you.

It’s vital to know that operating RecuperaBit will doubtless set off endpoint-protection detections if ransom.exe or different malicious information are current. Because of this, should you select to make use of RecuperaBit in conditions the place you hope to recuperate that executable for additional analaysis you must run it in an setting the place endpoint protections will be safely disabled — therefore the prerequisite of a sandbox.

On the time of this writing, RecuperaBit will be downloaded from GitHub. There’s a person information on the GitHub web page for the device.

Technique 3: bulk_extractor

Bulk_extractor (known as bulk-extractor on its kali.org web page, however the identical program in both case) is a free device that runs on Home windows or Linux. It was created by Simson Garfinkel. It will probably recuperate system information akin to Home windows occasion logs (.EVTX) in addition to media information. This device is automated, so the investigator can begin it and let it run, maybe after hours, in hope it’ll recuperate one thing.

It’s doable to configure it for particular file sorts or different artifacts by altering its config file. This may be very helpful to hurry evaluation up in situations the place you’re hoping for fast, targeted, or particular outcomes — for instance, EVTX information solely — relatively than attempting to recuperate the entire of the partition.

As with RecuperaBit in Technique 2, operating bulk_extractor will doubtless set off endpoint-protection detections if ransom.exe or different malicious information are current. Because of this, should you select to make use of bulk_extractor in conditions the place you hope to recuperate that executable for labs submission or related evaluation, you must run it in an setting the place endpoint protections will be safely disabled — therefore the above prerequisite of a sandbox.

On the time of this writing, bulk_extractor for Linux will be downloaded from GitHub. There’s a person information on the GitHub web page for the device.

Technique 4 : EVTXtract

This specialised device searches a block of knowledge (on this case, an encrypted VM) for full or partial .evtx information. If it finds any, the device pulls them again into their unique construction, which is XML. That is an automatic device that’s constructed to run on Linux solely.

XML information are notoriously troublesome to work with. On this case, the file will include incorrectly embedded EVTX fragments, so anticipate the output to be a bit unwieldly. To make it simpler to evaluate this device’s output, you’ll need to therapeutic massage the information. A few strategies for doing this successfully:

Please word that this device, simply because the identify signifies, recovers EVTX information or fragments solely. In case you are searching for different artifacts, you’ll need to make use of a unique device.

On the time of this writing, EVTXtract will be downloaded from GitHub. There’s a person information on the GitHub web page for the device.

Technique 5 : Scalpel, Foremost, or different file-recovery instruments

Turning our consideration from EVTX-recovery instruments to these designed to revive different forms of information, Scalpel and Foremost are two of many free file restoration instruments at present accessible. Although each are older tech, the Sophos IR workforce has had glorious outcomes with these two in our investigations.

The unique model of Scalpel, launched in 2005, was primarily based on Foremost, and the 2 carving and indexing functions are related in strategy. Each primarily recuperate media and doc information, which makes them helpful in case your investigation is searching for paperwork, PDFs, or the like. For both one, the config file will be modified to concentrate on particular file sorts, or be left alone for a fuller (although slower) catch-all effort.

As talked about, neither of those packages retrieves system information; different instruments shall be wanted for that work. As well as, information recovered from these could kick off endpoint-protection detections if any malicious information are current (for example, malicious PDFs from a phishing marketing campaign). Because of this we suggest that investigators run these instruments in a sandbox setting, the place endpoint safety will be disabled, if such information should be preserved for the investigation.

As famous above, each these packages are older expertise, which signifies that restoration of newer filetypes is probably not possible with these instruments. Different instruments exist, and the reader is invited to research these, however as simply accessible choices these are each stable performers.

Foremost will be downloaded from GitHub, and there’s a person information on the GitHub web page for the device. It was initially developed by the US Air Power Workplace of Particular Investigations and The Middle for Info Techniques Safety Research and Analysis. The model on GitHub doesn’t look like actively maintained.

Likewise, on the time of this writing, Scalpel will be downloaded from GitHub. There’s a person information on the GitHub web page for the device. As acknowledged on its GitHub web page, this device just isn’t actively maintained.

Technique 6 : Guide carving of the NTFS partition

In distinction to the instruments and methods summarized above, guide carving takes preparation and a few finer understanding of the choices accessible to you. We’ll make some suggestions for the right way to plan your effort, after which stroll you thru the specifics of working with dd, the highly effective Linux utility you’ll use for this work.

(Some background: DD initially stood for “information definition” and is really considered one of computing’s Elder Gods; it celebrates its 50^th anniversary of existence in June 2024. New dd customers are warned that typos will be catastrophic on this utility, incomes it its alternate identify of “disk destroyer”; it has been described as “a Swiss Military knife, however one which’s all blades and no deal with.” It’s endorsed that investigators familiarize themselves with dd fundamentals earlier than continuing. We additionally counsel typing the dd command right into a textual content editor, ensuring every thing is right, after which copying and pasting the command on the command line.)

Correct guide carving requires that investigators set three switches in dd previous to operating the utility – bs (bytes per sector), skip (the offset worth of the NTFS sector you purpose to recreate), and depend (the dimensions of the sector). These calculations aren’t essentially troublesome, however they do take time and they aren’t elective. This part walks you thru the steps for calculating all three.

As well as, the processing itself is relatively sluggish, doubtlessly taking hours to finish accurately. (As talked about above, we usually suggest you begin the guide carving course of on the finish of the working day and depart your machine operating in a single day.) With some follow, nonetheless, the calculation of the swap values could take the investigator only some minutes — and should you calculate the dimensions of the partition you’re going to carve earlier than trying to carve the partition, you cut back the chance of losing time and processing energy. So try this.

Notice lastly that this course of is space-intensive, doubtless taking over the identical quantity of house the VM itself does, since you’re basically copying the VM. For instance, should you’re working with a 100GB VM file, you’ll want one other 100GB plus house through which to extract the information you need.

The method has 4 primary steps:

The utility that does the copying, dd, is constructed into Linux. The command is as follows:

sudo dd if= *** of=***.img bs=*** skip=*** depend=*** standing=progress

Once more – and this can’t be emphasised sufficient – dd is fully unforgiving of typos. Proceed with warning. The command and its switches could also be understood as follows:

sudo = Person must have highest privileges for this device

dd = The utility itself

if = Stands for ‘enter file’ — this worth is the trail and file identify of the encrypted VM

of = Stands for ‘output file’ — that is the identify of the recreated partition. Instructed file extension is newfilename.img

bs = The bytes per sector of the partition you’re carving out; this worth should be entered in bytes

skip = The offset worth, in sectors, of the NTFS partition you’re carving out, from the beginning of the disk / VM file

depend = The dimensions of the partition, in sectors, of the NTFS partition you’re carving out

standing = An elective swap to show a progress bar, to see what number of bytes have been duplicated

As talked about above, there are three values you should calculate and supply for the switches on this command: bs, skip, and depend. The best approach to work these values out is to make use of a GUI hex editor akin to Maël Hörz’s HxD (which is Home windows freeware), however a command-line device akin to xxd will work if most well-liked. The display screen captures under present the steps utilizing HxD.

Switches: Gathering the essential values

Begin HxD and cargo within the encrypted VM file. Click on the Offset column on the far left to alter it to point out values in decimal (base10). In HxD that is denoted by the letter D in brackets, as proven in Determine 1.

Determine 1: The offset values at the moment are displayed in decimal numbers

Subsequent, open Knowledge inspector from the View dropdown, as proven in Determine 2.

Determine 2: The View dropdown in HxD with the Knowledge inspector choice chosen

Now discover the potential NTFS partitions. Spotlight the very high left byte, then use the search operate to seek for the next hexadecimal string — versus a decimal string or a textual content string, if such choices can be found.EB 52 90 4E 54 46 53 20 20 20 20

Take note of which tab is open within the Discover field, as proven in Determine 3.

Determine 3: In search of the hex string that signifies the beginning of an NTFS sector

The above hexadecimal string is the ‘signature byte’ of a NTFS partition, so this search will discover any potential NTFS partitions that you could carve out. There’ll doubtless be many introduced in an inventory, as proven in Determine 4.

Determine 4: A fruitful seek for doubtlessly salvageable NTFS partitions

When you choose considered one of these outcomes, you’ll be introduced with the header of the NTFS partition within the hex viewer window, as proven in Determine 5.

Determine 5: The header is proven above the chosen NTFS partition

The header comprises the essential info you want for the bs, skip, and depend values required within the dd command. Subsequent, we’ll clarify the right way to calculate these three values. You’ll need to do these so as.

To calculate the bs (bytes per sector) worth

Working from the beginning of the NTFS partition you’ve chosen, spotlight the bytes at offset 11 and 12, as proven in Determine 6. The worth proven as Int16 within the information inspector is the worth wanted. On this instance, the bs worth is 512. (This worth will nearly all the time be 512. Virtually.)

Determine 6: The bytes for the bs worth are highlighted, and the information inspector exhibits that the worth is certainly 512

To calculate the skip worth

Now that you’ve got the bs worth, calculate the skip worth by dividing the header offset worth by the bs worth. This calculation gives the sector worth of the place the NTFS partition begins.

As an example, the header offset decimal worth for the NTFS partition highlighted in Determine 7 is 00576716800. (So we’re clear, the next display screen captures usually are not from the identical partition because the one within the display screen captures proven above. As predicted above, although, you may see that the bs worth for this NTFS partition — the bytes at offsets 11 and 12 — is as soon as once more 512. )

Determine 7: The header offset worth is proven within the inexperienced field

As a way to calculate the skip worth, divide that worth by the bs worth (that’s, 512). In different phrases, do the next:

576716800 / 512 = 1126400

1126400 is the skip worth.

To calculate the depend worth

Find and spotlight the eight bytes that begin on the 41^st byte from the beginning of the NTFS header. To seek out this worth, within the display screen under, go down two rows from the primary (EB) byte of the header, go throughout to the 08 column, and spotlight the next eight bytes,  as proven in Determine 8.

Determine 8: Discovering the depend worth (highlighted)  

Spotlight the subsequent eight bytes, all the best way to column 15, as proven (so, bytes 41-48). The worth that’s proven in INT64 within the information interpreter is the depend worth – within the determine above, 1995745279. This worth is in sectors, and the above command wants it in sectors, so no conversion is required – word the worth and also you’re achieved.

Which partition to decide on?

We mentioned above that you must select the biggest accessible partition to carve out. The depend worth signifies how giant the partition is. If the partition is only some sectors in measurement, it’s doubtless not value carving out. To extend the probabilities of efficiently carving out the C: drive, the perfect strategy could be to search out the biggest partition within the preliminary listing of NTFS partitions and carve that one out.

The most important partition must be roughly the identical measurement as the general VM file. Nevertheless, the VM file measurement is proven in bytes, whereas the NTFS measurement is proven in complete sectors. To check them, you’ll convert the sector measurement of the partition into bytes to check.

As a way to convert the sector measurement of the partition into bytes, multiply the sector measurement (as proven within the information interpreter) by the bs worth. So, utilizing the numbers we discovered within the above examples:

1995745279 x 512 = 1021821582848 bytes (951.64 GB)

Prepared, set…

You now have the three values you require to make use of the dd utility. Enter the wanted values into the dd command, paste the command into dd itself should you adopted our recommendation to do all this in a textual content editor, hit Enter, and dd will carve out the chosen NTFS partition.

When accomplished, mount the brand new file that you just simply carved. It is best to then be capable to recuperate what you want. If the drive doesn’t mount, attempt 7-Zip (or different archiving instruments), different mounting instruments, or FTK.

To recap, Determine 9 exhibits an annotated diagram of the NTFS header and the place the values are situated.

Determine 9: A colourful have a look at an NTFS header (depend worth is marked as “complete sectors in file system”)

Conclusion

As soon as extra, we warning the reader that outcomes usually are not assured; the perfect methodology of retrieving information encrypted in an assault is to drag a duplicate from a clear, unaffected backup. Nevertheless, these strategies could assist the investigating workforce claw again information in conditions the place there’s no different alternative.

When is it time to surrender? Sadly, information can not all the time be recovered absolutely, partially, and even in any respect. Anticipate outcomes to fluctuate, generally for no purpose that may be decided. It’s as much as you, in session with the enterprise stakeholder, to resolve when to stroll away from the method.

Acknowledgements

The authors want to thank the creators of the software program talked about above. The editor needs to thank Jonathan Espenschied for the Swiss-Military-knife-with-no-handle description of dd. Some info on this article was initially introduced as a part of CyberUK in Could 2024.

Concerning the authors

Lee Kirkpatrick is an skilled Incident Lead with the Sophos Incident Response Staff, specializing in digital forensics and incident response for a various world clientele. With over a decade of experience, Lee has tackled cyber threats starting from ransomware to nation-state assaults and has shared insights at prestigious occasions together with BlackHat and RSA Cost.

Since becoming a member of Sophos in January 2021, Paul Jacobs has led a workforce of Incident Response Analysts and Engineers on the sharp finish of defending purchasers throughout lively cyber assaults. Paul’s prior profession historical past consists of over 15 years service within the Police, the place he gained a wealth of expertise in cyber crime investigations starting from violent offences to complicated monetary frauds and information breaches.

Sai Lakshmi Ghanasyam is an analyst in Sophos X-Ops’ Incident Response workforce. Sai embraces an unwavering dedication to studying, discovering immense pleasure within the dynamic nature of the safety business.

Antoni Fertner is a Principal Incident Response Analyst on the Sophos X-Ops Incident Response Staff. With over 15 years of expertise, together with greater than a decade on a NREN CSIRT, Antoni has tackled a variety of cyber threats, together with assaults on essential nationwide infrastructure.

Andy French is a Senior Incident Response Analyst for the Sophos X-Ops Incident response workforce.