May 18, 2024

This text explains varied strategies and available instruments for extracting knowledge from an encrypted digital disk. For incident-response conditions wherein the whole digital disk has been encrypted, these instruments and strategies might – might – allow the investigating crew to retrieve knowledge from the encrypted system.

Efforts to extract knowledge from encrypted digital disks can doubtlessly result in a number of constructive outcomes: recovering buyer knowledge that’s irretrievable by way of customary strategies, serving to rebuild virtualized buyer infrastructure that has been compromised, and / or enriching an incident investigation timeline. To date, we’ve used these strategies efficiently in DFIR investigations involving the LockBit, Faust / Phobos, Rhysida, and Akira ransomware teams.

We’ll say this initially of the article and we’ll say it once more on the finish: Outcomes aren’t assured. No data-extraction technique in existence is for certain to yield full knowledge from an encrypted VM. We will even spotlight that whereas these strategies have seen fairly a excessive success charge in extracting forensic knowledge that’s invaluable for the investigation (similar to occasion logs, registry forensics, and the like), the success charge of retrieving knowledge that can be utilized as a part of the restoration means of manufacturing programs, similar to databases, is way decrease.

We strongly advocate that any restoration makes an attempt must be performed on “working copies” and never the originals, lest the makes an attempt trigger unintended additional harm to the units.

Within the subsequent part we’ll focus on wherein conditions retrieval could also be attainable and to what extent. After that, we’ll checklist some elements to take into accounts as you choose which strategies you’ll try. Lastly, we’ll take a look at every technique, itemizing the conditions (the instruments required to aim the strategy; all are required) and flagging different issues. Within the dialogue of essentially the most labor-intensive technique, we’ll stroll by way of the small print of the method. On this article, references to “digital disks,” “VM’s,” or “disk photographs” all confer with the identical factor and will be any picture of a disk similar to VHD, VHDX, VMDK, RAW, and so forth. All six strategies apply to Home windows; just a few additionally may match on Linux, and we’ll word these in every case.

What’s file / disk encryption?

When ransomware encrypts a digital disk (or any file), the information has been basically randomized, rendering the file unreadable by the working system. Probably the most well-known technique of decrypting a file (returning the file to its unique, readable state) is by way of a decryptor, a software program instrument or program designed to reverse the method of encryption, making encrypted information readable once more.

In ransomware assaults, the decryptor is created and managed by the menace actor. In these conditions, except the ransom is paid or the decryptor turns into publicly out there, different strategies of information restoration should be thought-about.

Ransomware binaries prioritize pace over thorough encryption. Encrypting total information can be too time-consuming, so the attackers goal to inflict most harm swiftly, minimizing the window for intervention. Consequently, whereas smaller information like paperwork are often totally encrypted, bigger ones similar to digital disks might have vital parts left unencrypted. This gives investigators with alternatives to make use of various strategies for extracting data from these digital disks.

Which technique to make use of: Concerns

There are a number of strategies that can be utilized when trying to extract knowledge from an encrypted Home windows VM. (Just a few of those strategies are relevant to Linux restoration makes an attempt as nicely, and we’ll point out these.) On this article we are going to cowl six:

  • Technique 1: Mounting the drive
  • Technique 2: RecuperaBit
  • Technique 3: bulk_extractor
  • Technique 4: EVTXparser
  • Technique 5: Scalpel, Foremost, and different file-recovery instruments
  • Technique 6: Handbook carving of the NTFS partition

Which to attempt first? The next six issues might assist you to decide which technique is suitable.

File dimension
Expertise has proven that the bigger the dimensions of the digital disk, the higher the possibility of profitable restoration. For Home windows machines, that is largely as a result of most VMs may have a number of partitions, often three — restoration, boot, and the C: (user-visible) partition. (For this text, let’s assume the drive is mapped to the standard C:.) The primary two partitions maintain little knowledge of use for an incident investigation, however as a result of encryption generally encrypts the primary few bytes of the VM, solely these partitions find yourself encrypted.

This, subsequently, typically leaves the C: partition, the place buyer knowledge and potential forensic knowledge is housed, untouched. This may help investigators to rebuild a compromised digital system and enrich an incident investigation.

Conversely, if the VM file is comparatively small, the probability of recovering knowledge is lessened. Nevertheless, there nonetheless could also be a chance to reap occasion logs or registry hives.

As with every different downside in incident response, there exist a number of strategies and instruments for tackling the identical concern. Some instruments might carry out higher than others relying on the kind of encryption. It’s price making an attempt a number of instruments to get the outcome you want in case your first try fails or solely partially works.

Additionally it is essential to notice that instruments do cease getting up to date and / or supported, so contemplate in search of further instruments not talked about on this information. The instruments that we’re utilizing are third-party instruments, or in some instances instruments which can be already a part of Home windows or Linux (this contains Home windows Subsystem for Linux [WSL]). All through this text and in our on a regular basis investigations, we acknowledge the nice contribution the creators of these instruments have made to protection efforts, particularly in these instances wherein the instruments weren’t designed with encryption in thoughts.

The time out there to finish the duty is one thing price contemplating; the {hardware} / gear you might have out there might play an element on this. As an illustration, guide carving (Technique 6) is one out there choice, however this could take a very long time; particularly, it may well require a number of processor energy, which might decelerate your system throughout the course of. This might result in you not having the ability to use the system you’re utilizing for forensic examination for different each day duties while this course of completes. (Due to this, if it isn’t time-sensitive, we advocate you begin the guide carving course of in direction of the tip of the working day and go away your system working in a single day.) Totally different options take various quantities of time and this must be thought-about.

Accessible space for storing must be factored into your choice. Handbook carving, as an example, can require fairly a little bit of space for storing, as it’s going to recreate a duplicate of the file; in different phrases, in case you are making an attempt to recuperate a 1TB digital onerous disk, you might nicely want at the least one other 1TB for the outcomes. That is additionally true with a few of the file restoration instruments (Technique 5), significantly if the grasp file desk (MFT) is corrupt, since in that state of affairs the instrument might “recuperate” enormous information that don’t really exist.

File sorts and priorities
Shoppers often ask us to recuperate particular information (significantly Phrase paperwork and PDFs), as they don’t seem to be excited by anything. If that’s the case, and you do not want any additional knowledge for the investigation as all of the TTPs have been accounted for, it might be extra helpful so that you can run an automatic media file restoration instrument over the VM, relatively than doing a full restoration of the entire disk.

In a associated vein, the enterprise’s must recuperate the information must be weighed in restoration choices. For instance, if the enterprise plans to rebuild the system, they’ve a working backup of the information, and it’s not essential to the investigation, what’s to be gained by recovering knowledge from it? Does it must occur? (In all probability not.) A transparent understanding of the enterprise want for restoration of this particular VM results in higher allocation of treasured incident-response assets.

Strategies of extraction: Six strategies

The strategies under cowl a number of methods of trying to extract knowledge from a digital machine. This isn’t an exhaustive checklist, since new strategies and instruments are being developed on a regular basis; researching newer strategies and or instruments is all the time inspired, and we ourselves will seemingly replace this text as we add strategies to our personal repertoire. With such a wide range of choices out there, familiarizing your self with the fundamentals of every of those, then making use of that information to the issues listed above, is probably going one of the best method – and one which will get simpler with expertise and apply.

All that mentioned, although the checklist that follows will not be in a strict order, we advise that Technique 1 must be step one in any tried restoration, for causes that shall be clear.

Technique 1:  Simply mount it

A callout box with the following text: Prerequisites for mounting the drive A Windows OS version that has the native Windows mounting tool Third-party mounting tools Imaging tools such as FTK Archiving tool such as 7-Zip Applicability: Windows, LinuxSimply because you might have been advised that the VM is encrypted doesn’t essentially imply that it’s. (Sure, cybercriminals typically lie.) We’ve got encountered purchasers who’ve mistakenly thought their information had been encrypted when, actually, the attacker had merely modified the file extensions. As well as, now we have seen cases the place attackers’ encryption processes have failed and really simply renamed the file.

At all times do that technique first because it simply would possibly work — and save a number of time. If it doesn’t succeed, you’ll have misplaced little time and have completed nothing to impede different strategies of retrieval. If, alternatively, the strategy succeeds and the drive does mount, you possibly can then entry the file(s) and duplicate and paste from them as desired. As well as, since you are merely mounting the VM, endpoint safety (that’s, antimalware / antivirus packages) shouldn’t detect or take away any malicious information. This shall be helpful in the event you plan to gather samples for labs submission. Some suggestions for achievement with this technique:

  • Attempt the 7-Zip GUI archiver; now we have had a number of success with 7-Zip on this state of affairs
  • Mount the drive
  • If that’s not working, attempt FTK or every other third-party mounting instrument

Technique 2:  RecuperaBit

A callout box with the following text: Prerequisites for using RecuperaBit RecupraBit downloaded from GitHub Python installed on OS of choice Available storage that is equivalent in size to the VM A ‘sandboxed’ environment / separate device / VM working environment, to avoid potential endpoint-protection detections Applicability: Windows, LinuxRecuperaBit, created by Andrea Lazzarotto, is an automatic instrument that may rebuild any NTFS partitions that it may well discover within the encrypted VM. If it may well discover an NTFS partition, it’s going to re-create the folder construction of that partition on the system getting used for examination. If profitable, you possibly can then entry the file(s) and duplicate and paste from them as desired from the newly created listing/folder construction.

It’s a python script, so it’s going to work on any OS that helps python3. It’s simple to make use of, and only some choices are wanted to get it to rebuild the encrypted VM. Expertise has proven that, on common, it is best to get a ‘sure’ or ‘no’ as as to whether it may well rebuild something of use inside about 20 minutes. After that, if it may well handle the rebuild, it’s going to take roughly one other 20 minutes to recreate the partition for you.

It’s essential to know that working RecuperaBit will seemingly set off endpoint-protection detections if ransom.exe or different malicious information are current. For that reason, in the event you select to make use of RecuperaBit in conditions the place you hope to recuperate that executable for additional analaysis it is best to run it in an atmosphere the place endpoint protections will be safely disabled — therefore the prerequisite of a sandbox.

On the time of this writing, RecuperaBit will be downloaded from GitHub. There’s a consumer information on the GitHub web page for the instrument.

Technique 3: bulk_extractor

Callout box with following text: Prerequisites for using bulk_extractor bulk_extractor downloaded for Windows or Linux A Linux device / WSL/ working VM, if the Linux binary is to be used A ‘sandboxed’ environment / separate device / VM working environment, to avoid potential endpoint-protection detections Applicability: Windows, LinuxBulk_extractor (known as bulk-extractor on its page, however the identical program in both case) is a free instrument that runs on Home windows or Linux. It was created by Simson Garfinkel. It could possibly recuperate system information similar to Home windows occasion logs (.EVTX) in addition to media information. This instrument is automated, so the investigator can begin it and let it run, maybe after hours, in hope it’s going to recuperate one thing.

It’s attainable to configure it for particular file sorts or different artifacts by altering its config file. This may be very helpful to hurry evaluation up in situations the place you’re hoping for fast, targeted, or particular outcomes — for instance, EVTX information solely — relatively than making an attempt to recuperate the entire of the partition.

As with RecuperaBit in Technique 2, working bulk_extractor will seemingly set off endpoint-protection detections if ransom.exe or different malicious information are current. For that reason, in the event you select to make use of bulk_extractor in conditions the place you hope to recuperate that executable for labs submission or related evaluation, it is best to run it in an atmosphere the place endpoint protections will be safely disabled — therefore the above prerequisite of a sandbox.

On the time of this writing, bulk_extractor for Linux will be downloaded from GitHub. There’s a consumer information on the GitHub web page for the instrument.

Technique 4 : EVTXtract

Callout box with following text: Prerequisites for using EVTXtract EVTXtract downloaded from GitHub (click here for link) A Linux device / WSL / working VM Applicability: WindowsThis specialised instrument searches a block of information (on this case, an encrypted VM) for full or partial .evtx information. If it finds any, the instrument pulls them again into their unique construction, which is XML. That is an automatic instrument that’s constructed to run on Linux solely.

XML information are notoriously tough to work with. On this case, the file will encompass incorrectly embedded EVTX fragments, so count on the output to be a bit unwieldly. To make it simpler to evaluation this instrument’s output, you’ll need to therapeutic massage the information. A few recommendations for doing this successfully:

  • Try and convert the file to CSV format for simpler viewing
  • Use the grep command to get the result for YYYY-DD-MM (or every other date codecs), event-IDs, key phrases, or identified IoCS indicating exercise on the day of curiosity

Please word that this instrument, simply because the title signifies, recovers EVTX information or fragments solely. If you’re searching for different artifacts, you will want to make use of a unique instrument.

On the time of this writing, EVTXtract will be downloaded from GitHub. There’s a consumer information on the GitHub web page for the instrument.

Technique 5 : Scalpel, Foremost, or different file-recovery instruments

Callout box with following text: Prerequisites for using Scalpel or Foremost Copy of Scalpel or Foremost (download links in article) A Linux device / WSL / working VM A sandboxed environment / separate device / VM working environment to avoid potential endpoint-protection detections Applicability: Windows, LinuxTurning our consideration from EVTX-recovery instruments to these designed to revive different kinds of information, Scalpel and Foremost are two of many free file restoration instruments at the moment out there. Although each are older tech, the Sophos IR crew has had wonderful outcomes with these two in our investigations.

The unique model of Scalpel, launched in 2005, was based mostly on Foremost, and the 2 carving and indexing functions are related in method. Each primarily recuperate media and doc information, which makes them helpful in case your investigation is searching for paperwork, PDFs, or the like. For both one, the config file will be modified to concentrate on particular file sorts, or be left alone for a fuller (although slower) catch-all effort.

As talked about, neither of those applications retrieves system information; different instruments shall be wanted for that work. As well as, information recovered from these might kick off endpoint-protection detections if any malicious information are current (as an example, malicious PDFs from a phishing marketing campaign). For that reason we advocate that investigators run these instruments in a sandbox atmosphere, the place endpoint safety will be disabled, if such information should be preserved for the investigation.

As famous above, each these applications are older expertise, which implies that restoration of newer filetypes might not be possible with these instruments. Different instruments exist, and the reader is invited to research these, however as simply out there choices these are each stable performers.

Foremost will be downloaded from GitHub, and there’s a consumer information on the GitHub web page for the instrument. It was initially developed by the US Air Power Workplace of Particular Investigations and The Heart for Data Methods Safety Research and Analysis. The model on GitHub doesn’t look like actively maintained.

Likewise, on the time of this writing, Scalpel will be downloaded from GitHub. There’s a consumer information on the GitHub web page for the instrument. As acknowledged on its GitHub web page, this instrument will not be actively maintained.

Technique 6 : Handbook carving of the NTFS partition

Callout box with following text: Prerequisites for manual carving of the NTFS partition A Linux device / WSL / working VM A hex editor such as HxD or xxd A version of the Windows OS that has the native window mounting tool Third-party mounting tools Imaging tools such as FTK Archiving tool such as 7-Zip Available storage that is equivalent in size to the VM Applicability: WindowsIn distinction to the instruments and strategies summarized above, guide carving takes preparation and a few finer understanding of the choices out there to you. We’ll make some suggestions for how one can plan your effort, after which stroll you thru the specifics of working with dd, the highly effective Linux utility you’ll use for this work.

(Some background: DD initially stood for “knowledge definition” and is really one among computing’s Elder Gods; it celebrates its 50th anniversary of existence in June 2024. New dd customers are warned that typos will be catastrophic on this utility, incomes it its alternate title of “disk destroyer”; it has been described as “a Swiss Military knife, however one which’s all blades and no deal with.” It is suggested that investigators familiarize themselves with dd basics earlier than continuing. We additionally recommend typing the dd command right into a textual content editor, ensuring the whole lot is appropriate, after which copying and pasting the command on the command line.)

Correct guide carving requires that investigators set three switches in dd previous to working the utility – bs (bytes per sector), skip (the offset worth of the NTFS sector you goal to recreate), and rely (the dimensions of the sector). These calculations aren’t essentially tough, however they do take time and they don’t seem to be elective. This part walks you thru the steps for calculating all three.

As well as, the processing itself is relatively gradual, doubtlessly taking hours to finish accurately. (As talked about above, we typically advocate you begin the guide carving course of on the finish of the working day and go away your system working in a single day.) With some apply, nevertheless, the calculation of the swap values might take the investigator only some minutes — and in the event you calculate the dimensions of the partition you will carve earlier than trying to carve the partition, you scale back the probability of losing time and processing energy. So try this.

Notice lastly that this course of is space-intensive, seemingly taking on the identical quantity of area the VM itself does, since you’re basically copying the VM. For instance, in the event you’re working with a 100GB VM file, you’ll want one other 100GB plus area wherein to extract the information you need.

The method has 4 important steps:

  1. Analyze the encrypted VM for out there NTFS partitions
  2. Carve the biggest NTFS partition out and into a brand new file
  3. If the newly created file is undamaged sufficient, mount it in Home windows
  4. Extract the artifacts you want

The utility that does the copying, dd, is constructed into Linux. The command is as follows:

sudo dd if= *** of=***.img bs=*** skip=*** rely=*** standing=progress

Once more – and this can’t be emphasised sufficient – dd is fully unforgiving of typos. Proceed with warning. The command and its switches could also be understood as follows:

sudo = Person must have highest privileges for this instrument

dd = The utility itself

if = Stands for ‘enter file’ — this worth is the trail and file title of the encrypted VM

of = Stands for ‘output file’ — that is the title of the recreated partition. Urged file extension is newfilename.img

bs = The bytes per sector of the partition you’re carving out; this worth should be entered in bytes

skip = The offset worth, in sectors, of the NTFS partition you’re carving out, from the beginning of the disk / VM file

rely = The scale of the partition, in sectors, of the NTFS partition you’re carving out

standing = An elective swap to show a progress bar, to see what number of bytes have been duplicated

As talked about above, there are three values it’s essential to calculate and supply for the switches on this command: bs, skip, and rely. The best technique to work these values out is to make use of a GUI hex editor similar to Maël Hörz’s HxD (which is Home windows freeware), however a command-line instrument similar to xxd will work if most well-liked. The display captures under present the steps utilizing HxD.

Switches: Gathering the fundamental values 

Begin HxD and cargo within the encrypted VM file. Click on the Offset column on the far left to vary it to point out values in decimal (base10). In HxD that is denoted by the letter D in brackets, as proven in Determine 1.

Screen capture of offset values displayed as base10 numbers

Determine 1: The offset values at the moment are displayed in decimal numbers

Subsequent, open Knowledge inspector from the View dropdown, as proven in Determine 2.

Screen capture showing an HxD menu

Determine 2: The View dropdown in HxD with the Knowledge inspector choice chosen

Now discover the potential NTFS partitions. Spotlight the very prime left byte, then use the search operate to seek for the next hexadecimal string — versus a decimal string or a textual content string, if such choices can be found.

EB 52 90 4E 54 46 53 20 20 20 20

Take note of which tab is open within the Discover field, as proven in Determine 3.

Screen capture showing a search box with the hex string given above

Determine 3: Looking for the hex string that signifies the beginning of an NTFS sector

The above hexadecimal string is the ‘signature byte’ of a NTFS partition, so this search will discover any potential NTFS partitions which you can carve out. There’ll seemingly be many introduced in a listing, as proven in Determine 4.

Screen capture showing nine potential NTFS partitions that the search found

Determine 4: A fruitful seek for doubtlessly salvageable NTFS partitions

When you choose one among these outcomes, you can be introduced with the header of the NTFS partition within the hex viewer window, as proven in Determine 5.

Screen capture showing the NTFS header, which will be discussed below

Determine 5: The header is proven above the chosen NTFS partition

The header comprises the fundamental data you want for the bs, skip, and rely values required within the dd command. Subsequent, we’ll clarify how one can calculate these three values. You’ll need to do these so as.

 To calculate the bs (bytes per sector) worth

Working from the beginning of the NTFS partition you might have chosen, spotlight the bytes at offset 11 and 12, as proven in Determine 6. The worth proven as Int16 within the knowledge inspector is the worth wanted. On this instance, the bs worth is 512. (This worth will nearly all the time be 512. Nearly.)

Screen capture showing the Int16 value highlighted in Data Inspector

Determine 6: The bytes for the bs worth are highlighted, and the information inspector exhibits that the worth is certainly 512

To calculate the skip worth

Now that you’ve the bs worth, calculate the skip worth by dividing the header offset worth by the bs worth. This calculation gives the sector worth of the place the NTFS partition begins.

As an illustration, the header offset decimal worth for the NTFS partition highlighted in Determine 7 is 00576716800. (So we’re clear, the next display captures aren’t from the identical partition because the one within the display captures proven above. As predicted above, although, you possibly can see that the bs worth for this NTFS partition — the bytes at offsets 11 and 12 — is as soon as once more 512. )

Screen capture highlighting the base10 offset value to be divided by the bs value to get the skip value

Determine 7: The header offset worth is proven within the inexperienced field

With the intention to calculate the skip worth, divide that worth by the bs worth (that’s, 512). In different phrases, do the next:

576716800 / 512 = 1126400

1126400 is the skip worth.

To calculate the rely worth

Find and spotlight the eight bytes that begin on the 41st byte from the beginning of the NTFS header. To seek out this worth, within the display under, go down two rows from the primary (EB) byte of the header, go throughout to the 08 column, and spotlight the next eight bytes,  as proven in Determine 8.

Screen capture showing the Int64 count value

Determine 8: Discovering the rely worth (highlighted)  

Spotlight the following eight bytes, all the way in which to column 15, as proven (so, bytes 41-48). The worth that’s proven in INT64 within the knowledge interpreter is the rely worth – within the determine above, 1995745279. This worth is in sectors, and the above command wants it in sectors, so no conversion is required – word the worth and also you’re completed.

Which partition to decide on?

We mentioned above that it is best to select the biggest out there partition to carve out. The rely worth signifies how giant the partition is. If the partition is only some sectors in dimension, it’s seemingly not price carving out. To extend the possibilities of efficiently carving out the C: drive, one of the best method can be to seek out the biggest partition within the preliminary checklist of NTFS partitions and carve that one out.

The biggest partition must be roughly the identical dimension as the general VM file. Nevertheless, the VM file dimension is proven in bytes, whereas the NTFS dimension is proven in complete sectors. To match them, you’ll convert the sector dimension of the partition into bytes to check.

With the intention to convert the sector dimension of the partition into bytes, multiply the sector dimension (as proven within the knowledge interpreter) by the bs worth. So, utilizing the numbers we discovered within the above examples:

1995745279 x 512 = 1021821582848 bytes (951.64 GB)

Prepared, set…

You now have the three values you require to make use of the dd utility. Enter the wanted values into the dd command, paste the command into dd itself in the event you adopted our recommendation to do all this in a textual content editor, hit Enter, and dd will carve out the chosen NTFS partition.

When accomplished, mount the brand new file that you simply simply carved. You must then be capable of recuperate what you want. If the drive doesn’t mount, attempt 7-Zip (or different archiving instruments), different mounting instruments, or FTK.

To recap, Determine 9 exhibits an annotated diagram of the NTFS header and the place the values are positioned.

Screen capture showing all the parts of the NTFS header we just covered

Determine 9: A colourful take a look at an NTFS header (rely worth is marked as “complete sectors in file system”)


As soon as extra, we warning the reader that outcomes aren’t assured; one of the best technique of retrieving knowledge encrypted in an assault is to tug a duplicate from a clear, unaffected backup. Nevertheless, these strategies might assist the investigating crew claw again knowledge in conditions the place there’s no different selection.

When is it time to surrender? Sadly, knowledge can not all the time be recovered totally, partly, and even in any respect. Anticipate outcomes to fluctuate, typically for no purpose that may be decided. It’s as much as you, in session with the enterprise stakeholder, to resolve when to stroll away from the method.


The authors want to thank the creators of the software program talked about above. The editor needs to thank Jonathan Espenschied for the Swiss-Military-knife-with-no-handle description of dd. Some data on this article was initially presented as a part of CyberUK in Might 2024.