Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Go to court with compelling digital evidence
The Ransomware is the scourge of our time. No one is immune from seeing a demand to pay hackers money on the screen of his computer, laptop or mobile phone. Usually, hackers encrypt user files in case these files may be important to the user and he is ready to spend a certain amount of money for deciphering them.
Often, Ransomware uses the following tricks for this:
The crypto key is stored for some time on this server. A separate bitcoin wallet is created for each encrypted computer to know who paid the money.
The owner of the encrypted files can redeem the crypto key and receive a program from the hackers which, using this crypto key, decrypts its files. He may not pay for the following reasons, even if the encrypted files are important to the user:
1) The owner of the computer may simply not have the required amount of money.
2) The owner of the computer will not be able to collect the required amount during the period that is set by hackers and until the moment when the crypto key is removed from the command server.
3) The owner of the computer will not be able to figure out how to make payment to the hackers
In addition, there are no guarantees that if the owner of the encrypted files pays money to the hackers, then he will receive a program to decrypt the files. This can happen for the following reasons:
1) Programming errors. Hackers can create a piece of ransomware that will not send a crypto key to the CC server.
2) Programming errors. Hackers can create a piece of ransomware that will not generate a bitcoin purse for each computer and then hackers will simply not know who paid them money. (That’s exactly that happened with computers whose files were encrypted by WannaCry)
3) If the owner of the encrypted files has not paid to the hackers within a certain period, his crypto key can be deleted and cannot be restored.
4) Hackers can simply hide and stop sending paid crypto keys.
5) The police can remove the management server and then the crypto keys stored on it will be inaccessible to the owners of the encrypted computers.
The only thing you can be sure of is that when the computer owner sees a demand to pay money on the monitor screen for the first time , the crypto key is in the computer’s memory. At this point, you should make a RAM memory dump. Experts can extract a crypto key from this dump and decrypt the files.
In this article, you will learn how to create a RAM memory dump using Belkasoft Live RAM Capturer.
Go to the Belkasoft website (https://belkasoft.com/get) and fill out the request form for this tool.
Fig. 1. Request form.
After that, you will receive an email with a link to download Belkasoft Live RAM Capturer. Download it and put it on the flash drive. Connect this flash drive to a computer with encrypted files.
There is a 32-bit (file ‘RamCapture.exe’) and 64-bit (file ‘RamCapture64.exe’) versions of Belkasoft Live RAM Capturer.
Fig. 2. Files of Belkasoft Live RAM Capturer.
Click on the file whose System type is full.
If you accidentally run a file that does not match your system, you will see an error message.
Fig. 3. Error message.
You will see the main window after running Belkasoft Live RAM Capturer.
Fig. 4. The main window of Belkasoft Live RAM Capturer.
Belkasoft Live RAM Capturer will offer to save the created RAM memory dump to a flash drive. Click ‘Capture!’.
If your flash drive has a FAT file system (FAT32) and the amount of RAM is more than 4GB, you will see the message ‘Insufficient disk space for the dump file’.
Fig. 5. The message ‘Insufficient disk space for the dump file’.
This is due to the fact that Windows cannot write a file larger than 4GB in the FAT file system (FAT32). Reformat it in exFAT or NTFS to save RAM memory dump to flash drive. If you do not do this, you can specify a different location than the hard drive of the computer where the RAM memory dump will be stored. As an example, the path ‘C: \ Users \ Igor \ Document’ was used. As shown in Fig. 6., the RAM memory dump was created successfully.
Fig. 6. A message stating that the RAM memory dump was created successfully.
The name of the file that contains the copy of RAM corresponds to the date of its creation.
Fig. 7. A file containing a copy of the computer’s RAM.
Conclusion
In this article, we discussed how to create a RAM memory dump using Belkasoft Live RAM Capturer.
This memory dump can be used to extract a crypto key. This crypto key can be used to decrypt encrypted files.
Authors:
Igor Mikhaylov & Oleg Skulkin
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now