Skip to main content
SpringerLink
Log in

Digital Forensic Readiness Framework for Ransomware Investigation

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2018)

Included in the following conference series:

Abstract

Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview.

  2. 2.

    https://avinashsingh786.github.io/RegSmart/#regacquire.

References

  1. Logen, S., Höfken, H., Schuba, M.: Simplifying RAM forensics: a GUI and extensions for the volatility framework. In: Proceedings of the 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, pp. 620–624 (2012)

    Google Scholar 

  2. Hargreaves, C., Chivers, H.: Recovery of encryption keys from memory using a linear scan. In: Proceedings of the 3rd International Conference on Availability, Reliability and Security, ARES 2008, pp. 1369–1376, March 2008

    Google Scholar 

  3. Vaughan-Nichols, S.J.: Today’s most popular operating systems (2017). http://www.zdnet.com/article/todays-most-popular-operating-systems/. Accessed 12 Apr 2018

  4. Statista, Global market share held by the leading mobile operating systems from 2010 to 2015 (2015). https://www.statista.com/statistics/218089/global-market-share-of-windows-7/. Accessed 12 Apr 2018

  5. Kaspersky, Overall Statistics for 2017, Kaspersky (2017). https://kasperskycontenthub.com/securelist/files/2017/12/KSB_statistics_2017_EN_final.pdf. Accessed 4 Apr 2018

  6. Tailor, J.P., Patel, A.D.: A comprehensive survey: ransomware attacks prevention, monitoring and damage control. Int. J. Res. Sci. Innov. 4, 2321–2705 (2017)

    Google Scholar 

  7. Bromium Labs, Understanding Crypto-Ransomware, p. 35 (2015). Bromium.com

  8. Matt Mansfield, Cyber Security Statistics (2017). https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html. Accessed 23 Apr 2018

  9. United States Government, How to Protecting Your Networks from Ransomware (2016). https://www.justice.gov/criminal-ccips/file/872771/download. Accessed 26 Apr 2018

  10. Damshenas, M., Dehghantanha, A., Mahmoud, R.: A survey on malware propagation, analysis and detection. Int. J. Cyber-Security Digit. Forensics 2(4), 10–29 (2013)

    Google Scholar 

  11. Gandotra, E., Bansal, D., Sofat, S.: Malware threat assessment using fuzzy logic paradigm. Cybern. Syst. 48(1), 29–48 (2017)

    Article  Google Scholar 

  12. O’Brien, D.: Internet Security Threat Report - Ransomware 2017. In: Symantec, p. 35 (2017)

    Google Scholar 

  13. Savage, K., Coogan, P., Lau, H.: Information resources. Res. Manag. 54(5), 59–63 (2011)

    Google Scholar 

  14. Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Analysis of a Botnet takeover. IEEE Secur. Priv. 9(1), 64–72 (2011)

    Article  Google Scholar 

  15. United States Government, How to Protecting Your Networks from Ransomware, pp. 2–8 (2016)

    Google Scholar 

  16. Rad, B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)

    Google Scholar 

  17. Campbell, S., Chan, S., Lee, J.R.: Detection of fast flux service networks. Conf. Res. Pract. Inf. Technol. Ser. 116, 57–66 (2011)

    Google Scholar 

  18. Spafford, E.H.: The internet worm incident. In: Ghezzi, C., McDermid, J.A. (eds.) ESEC 1989. LNCS, vol. 387, pp. 446–468. Springer, Heidelberg (1989). https://doi.org/10.1007/3-540-51635-2_54

    Chapter  Google Scholar 

  19. Okane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011)

    Article  Google Scholar 

  20. Symantec, 2017 Internet Security Threat Report, Istr (2017). https://www.symantec.com/security-center/threat-report. Accessed 27 Apr 2018

  21. Ehrenfeld, J.M.: WannaCry, cybersecurity and health information technology: a time to act. J. Med. Syst. 41(7), 104 (2017)

    Article  Google Scholar 

  22. Kotov, V., Rajpal, M.S.: Understanding Crypto-Ransomware, p. 35 (2015). Bromium.com

  23. Sophos, Stopping Fake Antivirus: How to Keep Scareware Off Your Network (2011)

    Google Scholar 

  24. Ikuesan, A.R., Venter, H.S.: Digital forensic readiness framework based on behavioral-biometrics for user attribution, vol. 1, pp. 54–59 (2017)

    Google Scholar 

  25. ISO 27043, International Standard ISO/IEC 27043: Information technology — Security techniques — Incident investigation principles and processes, vol. 2015 (2015)

    Google Scholar 

  26. Kaplan, B.: RAM is key: extracting disk encryption keys from volatile memory, p. 20 (2007)

    Google Scholar 

  27. Basu, A., Gandhi, J., Chang, J., Hill, M.D., Swift, M.M.: Efficient virtual memory for big memory servers. In: Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA 2013, pp. 237–248 (2013)

    Google Scholar 

  28. Pomeranz, H.: Detecting malware with memory forensics why memory forensics? Everything in the OS traverses RAM, pp. 1–27 (2012)

    Google Scholar 

  29. Olajide, F., Savage, N.: On the extraction of forensically relevant information from physical memory. In: IEEE World Congress on Internet Security, pp. 248–252 (2011)

    Google Scholar 

  30. Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A.: The persistence of memory: forensic identification and extraction of cryptographic keys. Digit. Investig. 6, 132–140 (2009)

    Article  Google Scholar 

  31. Adomavicius, G., Tuzhilin, A.: Context-aware recommender systems. In: Recommender Systems Handbook, 2nd edn., pp. 191–226 (2015)

    Chapter  Google Scholar 

  32. Hausknecht, K., Foit, D., Burić, J.: RAM data significance in digital forensics. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2015, pp. 1372–1375, May 2015

    Google Scholar 

  33. Patil, D.N., Meshram, B.B.: Extraction of forensic evidences from windows volatile memory. In: 2017 2nd International Conference for Convergence in Technology (I2CT), pp. 421–425 (2017)

    Google Scholar 

  34. Alghafli, K., Jones, A., Martin, T.: Forensic analysis of the Windows 7 registry. J. Digit. Forensics Secur. Law 5(4), 5–30 (2010)

    Google Scholar 

  35. Lallie, H.S., Briggs, P.J.: Windows 7 registry forensic evidence created by three popular BitTorrent clients. Digit. Investig. 7(3–4), 127–134 (2011)

    Article  Google Scholar 

  36. Reddy, K., Venter, H.S.: The architecture of a digital forensic readiness management system. Comput. Secur. 32, 73–89 (2013)

    Article  Google Scholar 

  37. Mohlala, M., Adeyemi, I.R., Venter, H.S.: User attribution based on keystroke dynamics in digital forensic readiness process. In: IEEE Conference on Applications, Information and Network Security (AINS), pp. 124–129 (2017)

    Google Scholar 

  38. Valjarevic, A., Venter, H.S.: Towards a digital forensic readiness framework for public key infrastructure systems. In: 2011 Information Security South Africa, pp. 1–10 (2011)

    Google Scholar 

  39. Kebande, V.R., Venter, H.S.: On digital forensic readiness in the cloud using a distributed agent-based solution: issues and challenges. Aust. J. Forensic Sci. 50(2), 209–238 (2018)

    Article  Google Scholar 

  40. Kebande, V.R., Karie, N.M., Venter, H.S.: Adding digital forensic readiness as a security component to the IoT domain. Int. J. Adv. Sci. Eng. Inf. Technol. 8(1), 1 (2018)

    Article  Google Scholar 

  41. Dolan-Gavitt, B.: Forensic analysis of the Windows registry in memory. Digit. Investig. 5, 26–32 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Pretoria, Hatfield, 0083, South Africa

    Avinash Singh, Adeyemi R. Ikuesan & Hein S. Venter

Authors
  1. Avinash Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adeyemi R. Ikuesan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hein S. Venter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Avinash Singh .

Editor information

Editors and Affiliations

  1. Tagliatela College of Engineering, University of New Haven, West Haven, CT, USA

    Frank Breitinger

  2. Tagliatela College of Engineering, University of New Haven, West Haven, CT, USA

    Ibrahim Baggili

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Singh, A., Ikuesan, A.R., Venter, H.S. (2019). Digital Forensic Readiness Framework for Ransomware Investigation. In: Breitinger, F., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 259. Springer, Cham. https://doi.org/10.1007/978-3-030-05487-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05487-8_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05486-1

  • Online ISBN: 978-3-030-05487-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation