Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Specialists from foreign countries and other users started to seek advice after reading this article. Turns out, not all of you understand when forensics engineers can help recover data. In this article we will consider typical questions and give answers based on own experience.
Frequently asked questions:
Are the files encrypted or a whole partition?
We have had both cases in our experience.
If files are encrypted, we recommend you recover data from FreeSpace partition (ransomware usually misses this area).
Why will it succeed?
Data copies could be deleted, moved or create temporary files. So it’s necessary to make analysis.
It’s a difficult case when a partition is entirely encrypted. In the future it will occur rarely.
Why do we think so?
The volume of storage devices increases. As a result, time spent for encryption will increase as well. This will make it more difficult for hackers to achieve their goals.
Is it possible to recover data if a whole partition is encrypted?
If the algorithm of encryption is cryptographic and the key is unknown, we won’t be able to help.
How can you determine whether an algorithm is cryptographical or not?
Usually the algorithm of encryption is unknown. So it’s difficult to give a definitive answer. There’s a choice to search markers.
In this case, we define XOR with some additions.
How to determine XOR is used?
It’s necessary to take two or three files of same type and compare them. The presence of coinciding parts and further analysis will let us make a conclusion about the algorithm used.
A frauder sent the name of algorithm of encryption in a text file. Will it help to decrypt?
It’s difficult to answer. There are many variations of cryptographic algorithms. The task of key search is the most important.
I know a new extension of files that ransomware created. Will it help?
It’s not important what kind of extension it is. There are many options, but they systematize poorly. Most important is what is inside the file.
How can you find the encryption key?
It’s a direct key brute-force or heuristic analysis. But there are few chances.
If there’s ransomware (for example, an email with an infected file), it’s possible to make a test case with prepared PC with a huge volume of data (we need to buy some time). Run a ransomware. While it’s encrypting data, we make some dumps of RAM in short intervals. Compare them and seek patterns.
Have you succeeded in key searching with the help of RAM dumps?
Not yet. It’s just a hypothesis. We can’t check it because users are not ready to pay for such expensive work.
So when is it possible to help if a virus has encrypted data?
It’s possible if files are not entirely encrypted.
How can you determine that?
You need to find an unencrypted copy of an encrypted file (on another device, for example) and compare them. This procedure should be repeated on some examples. It’s necessary to determine the length and location of encrypted areas better.
If there’s no coincidence, file will be entirely encrypted. The only decision is a key search (vide supra).
If there’s coincidence, part of the user’s data is not encrypted.
What size of file should be taken for comparison?
The more the better. A file’s size has to be more than 10 MB. One of the versions of well-known Petya (NotPetya) encryptor had encrypted only the first MB of data. Files of up to 1 MB were entirely encrypted. Files of more than 1 MB were partly recovered. Look at the fifth figure.
How can you recover data if a file is not entirely encrypted?
There’s no single algorithm for the problem. Everything depends on data file type, length and location of encrypted areas. It’s a creative work for data recovery specialists.
What do you do when you get a case with ransomware?
The algorithm we follow:
to check FreeSpace area
to investigate the ransomware
area
ransomware
We try to decrypt using various combinations of ID key ransomware and known algorithms of encryption (AES 256, for example). We know that there are a few chances but let’s try.
About the author
Andrey Fedorov is co-owner of 512 BYTE company, the specialist in data recovery, software development for data recovery and forensic analysis. He has more than 15 years of experience in this field.
LinkedIn:
https://www.linkedin.com/in/andrey-fedorov-166368106/
Facebook:
https://www.facebook.com/soft512byte
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now