Various techniques and readily available tools for extracting data from an encrypted virtual disk have been explored in this article. In incident-response situations where the entire virtual disk has been encrypted, these tools and techniques have been developed to potentially assist investigating teams in retrieving data from the encrypted system. These efforts have the potential to lead to positive outcomes such as recovering irretrievable customer data, rebuilding compromised virtualized customer infrastructure, and enhancing an incident investigation timeline.
The successful application of these techniques in DFIR investigations involving ransomware groups like LockBit, Faust / Phobos, Rhysida, and Akira has been highlighted in this article. It has been emphasized that while these methods have shown a high success rate in extracting valuable forensic data such as event logs and registry forensics, the success rate in retrieving data essential for the recovery process of production systems like databases is comparatively lower.
A strong recommendation has been made to conduct recovery attempts on “working copies” rather than the original files to avoid unintended further damage to the devices. The article has been structured to discuss situations in which data retrieval may be possible and to what extent, followed by listing factors to consider when selecting the methods to attempt. Each method has been elaborated upon, detailing the prerequisites required to attempt the method along with other considerations.
The article has elucidated on the concept of file/disk encryption, emphasizing the importance of decryptors in reversing the encryption process and making files readable again. In cases of ransomware attacks where decryptors are controlled by threat actors, alternate methods of data recovery become necessary until the ransom is paid or the decryptor becomes publicly available.
The discussion further delves into six techniques for extracting data from an encrypted Windows VM, providing insights on considerations to help decide which method is appropriate. These considerations include file size, tools, time, storage, file types and priorities, and the enterprise’s need for data recovery.
The techniques explored in the article include:
– Method 1: Mounting the drive.
– Method 2: RecuperaBit.
– Method 3: Bulk_extractor
– Method 4: EVTXparser.
– Method 5: Scalpel, Foremost, and other file-recovery tools.
– Method 6: Manual carving of the NTFS partition.
Each method is meticulously explained with information on how to execute it, the tools needed, and specific considerations to keep in mind. The manual carving of the NTFS partition, in particular, requires a detailed calculation process using the dd utility in Linux.
In conclusion, the article reiterates that while results are not guaranteed, these methods can assist in extracting data from encrypted systems where recovery from clean backups is not an option. It emphasizes the importance of making informed decisions on when to persevere with data recovery efforts and when to consider alternative solutions. The acknowledgment section gives credit to the creators of the software mentioned in the article, highlighting the collaborative effort in developing tools for data recovery in challenging cybersecurity situations.