Abstract
Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Logen, S., Höfken, H., Schuba, M.: Simplifying RAM forensics: a GUI and extensions for the volatility framework. In: Proceedings of the 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, pp. 620–624 (2012)
Hargreaves, C., Chivers, H.: Recovery of encryption keys from memory using a linear scan. In: Proceedings of the 3rd International Conference on Availability, Reliability and Security, ARES 2008, pp. 1369–1376, March 2008
Vaughan-Nichols, S.J.: Today’s most popular operating systems (2017). http://www.zdnet.com/article/todays-most-popular-operating-systems/. Accessed 12 Apr 2018
Statista, Global market share held by the leading mobile operating systems from 2010 to 2015 (2015). https://www.statista.com/statistics/218089/global-market-share-of-windows-7/. Accessed 12 Apr 2018
Kaspersky, Overall Statistics for 2017, Kaspersky (2017). https://kasperskycontenthub.com/securelist/files/2017/12/KSB_statistics_2017_EN_final.pdf. Accessed 4 Apr 2018
Tailor, J.P., Patel, A.D.: A comprehensive survey: ransomware attacks prevention, monitoring and damage control. Int. J. Res. Sci. Innov. 4, 2321–2705 (2017)
Bromium Labs, Understanding Crypto-Ransomware, p. 35 (2015). Bromium.com
Matt Mansfield, Cyber Security Statistics (2017). https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html. Accessed 23 Apr 2018
United States Government, How to Protecting Your Networks from Ransomware (2016). https://www.justice.gov/criminal-ccips/file/872771/download. Accessed 26 Apr 2018
Damshenas, M., Dehghantanha, A., Mahmoud, R.: A survey on malware propagation, analysis and detection. Int. J. Cyber-Security Digit. Forensics 2(4), 10–29 (2013)
Gandotra, E., Bansal, D., Sofat, S.: Malware threat assessment using fuzzy logic paradigm. Cybern. Syst. 48(1), 29–48 (2017)
O’Brien, D.: Internet Security Threat Report - Ransomware 2017. In: Symantec, p. 35 (2017)
Savage, K., Coogan, P., Lau, H.: Information resources. Res. Manag. 54(5), 59–63 (2011)
Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Analysis of a Botnet takeover. IEEE Secur. Priv. 9(1), 64–72 (2011)
United States Government, How to Protecting Your Networks from Ransomware, pp. 2–8 (2016)
Rad, B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)
Campbell, S., Chan, S., Lee, J.R.: Detection of fast flux service networks. Conf. Res. Pract. Inf. Technol. Ser. 116, 57–66 (2011)
Spafford, E.H.: The internet worm incident. In: Ghezzi, C., McDermid, J.A. (eds.) ESEC 1989. LNCS, vol. 387, pp. 446–468. Springer, Heidelberg (1989). https://doi.org/10.1007/3-540-51635-2_54
Okane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011)
Symantec, 2017 Internet Security Threat Report, Istr (2017). https://www.symantec.com/security-center/threat-report. Accessed 27 Apr 2018
Ehrenfeld, J.M.: WannaCry, cybersecurity and health information technology: a time to act. J. Med. Syst. 41(7), 104 (2017)
Kotov, V., Rajpal, M.S.: Understanding Crypto-Ransomware, p. 35 (2015). Bromium.com
Sophos, Stopping Fake Antivirus: How to Keep Scareware Off Your Network (2011)
Ikuesan, A.R., Venter, H.S.: Digital forensic readiness framework based on behavioral-biometrics for user attribution, vol. 1, pp. 54–59 (2017)
ISO 27043, International Standard ISO/IEC 27043: Information technology — Security techniques — Incident investigation principles and processes, vol. 2015 (2015)
Kaplan, B.: RAM is key: extracting disk encryption keys from volatile memory, p. 20 (2007)
Basu, A., Gandhi, J., Chang, J., Hill, M.D., Swift, M.M.: Efficient virtual memory for big memory servers. In: Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA 2013, pp. 237–248 (2013)
Pomeranz, H.: Detecting malware with memory forensics why memory forensics? Everything in the OS traverses RAM, pp. 1–27 (2012)
Olajide, F., Savage, N.: On the extraction of forensically relevant information from physical memory. In: IEEE World Congress on Internet Security, pp. 248–252 (2011)
Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A.: The persistence of memory: forensic identification and extraction of cryptographic keys. Digit. Investig. 6, 132–140 (2009)
Adomavicius, G., Tuzhilin, A.: Context-aware recommender systems. In: Recommender Systems Handbook, 2nd edn., pp. 191–226 (2015)
Hausknecht, K., Foit, D., Burić, J.: RAM data significance in digital forensics. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2015, pp. 1372–1375, May 2015
Patil, D.N., Meshram, B.B.: Extraction of forensic evidences from windows volatile memory. In: 2017 2nd International Conference for Convergence in Technology (I2CT), pp. 421–425 (2017)
Alghafli, K., Jones, A., Martin, T.: Forensic analysis of the Windows 7 registry. J. Digit. Forensics Secur. Law 5(4), 5–30 (2010)
Lallie, H.S., Briggs, P.J.: Windows 7 registry forensic evidence created by three popular BitTorrent clients. Digit. Investig. 7(3–4), 127–134 (2011)
Reddy, K., Venter, H.S.: The architecture of a digital forensic readiness management system. Comput. Secur. 32, 73–89 (2013)
Mohlala, M., Adeyemi, I.R., Venter, H.S.: User attribution based on keystroke dynamics in digital forensic readiness process. In: IEEE Conference on Applications, Information and Network Security (AINS), pp. 124–129 (2017)
Valjarevic, A., Venter, H.S.: Towards a digital forensic readiness framework for public key infrastructure systems. In: 2011 Information Security South Africa, pp. 1–10 (2011)
Kebande, V.R., Venter, H.S.: On digital forensic readiness in the cloud using a distributed agent-based solution: issues and challenges. Aust. J. Forensic Sci. 50(2), 209–238 (2018)
Kebande, V.R., Karie, N.M., Venter, H.S.: Adding digital forensic readiness as a security component to the IoT domain. Int. J. Adv. Sci. Eng. Inf. Technol. 8(1), 1 (2018)
Dolan-Gavitt, B.: Forensic analysis of the Windows registry in memory. Digit. Investig. 5, 26–32 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Singh, A., Ikuesan, A.R., Venter, H.S. (2019). Digital Forensic Readiness Framework for Ransomware Investigation. In: Breitinger, F., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 259. Springer, Cham. https://doi.org/10.1007/978-3-030-05487-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-05487-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05486-1
Online ISBN: 978-3-030-05487-8
eBook Packages: Computer ScienceComputer Science (R0)