How to Use Windows Forensic Analysis to Identify and Analyze Ransomware – Pt 1

Ransomware attacks are on the rise. Every year we are seeing many firms getting targeted by these attacks and getting increased year-on-year. The scariest part is that even after paying the ransom, victims are not able to extract the data completely and the data is lost forever. And in some cases, after spending so much money, security teams fail to identify the root cause or source of malware in their environment.

For people who don’t know “ransomware is a type of malicious software that is aimed to restrict access to digital files and systems until a ransom is paid”.

While organizations enforce best security policies and practices, there is a 1% chance of getting targeted. While defending is important and so is the way to analyze post-attack and figure out what went wrong or what process to extract our encrypted data. For that, we should use digital forensics processes, and tools to collect and analyze the data.

Microsoft Windows is by far the most used desktop OS right now. Private users and enterprises prefer it, and it currently holds roughly 80% of the desktop market share. This means that it is important to know how to perform forensic analysis on Microsoft Windows for someone interested in Digital Forensics.

In this article, we will explore how to use Windows Forensic Analysis to identify and analyze cyber-attacks.

What is Windows Forensic Analysis?

Windows Forensic Analysis is a process that involves collecting and analyzing digital evidence to gain insights into how a computer or network breach occurred.

Skilled forensic professionals use this information to determine the type of attacker, their methods, and the data they accessed. This information can then be used to develop a forensic analysis report that can be used to respond to, and mitigate the breach. These data are called artefacts.

What types of data can be collected and analyzed using Windows Forensic Analysis?

Typically includes network traffic logs, system logs, and other critical information collected from infrastructure. It can also include contents of memory and storage devices, like hard drives.

The data collected during a Windows Forensic Analysis can be used to identify and analyze a wide variety of malicious activities. This can include installing malicious programs, like ransomware, and using them to access sensitive data. It can also include malicious programs that modify or delete data without authorization, like ransomware attacks.

How does Windows Forensic Analysis identify and analyze ransomware?

One of the key ways that Windows Forensic Analysis identifies and analyzes ransomware is by identifying suspicious files based on the extracted information to connect the dots and tracking the files that are created, modified, or deleted by the file integrity. Namely, using the collected traffic logs and analyzing the source and travelled path by tracking the reversal path. Process details show the process, files executed, downloaded, and received across the environment which can give us details of unauthorized and suspicious files.

Forensic analysis involves multiple deep-layer investigations to identify the granular changes performed on the system.

What are the best tools to use for Windows Forensic Analysis?

There are many tools and techniques that can be used for Windows forensics. This includes a variety of network traffic analyzers, such as Network General’s Sniffer (the ancestor of Wireshark) and Cisco’s ThousandEyes.

Digital forensics tools, such as Exterro’s Forensic Toolkit, Guidance Software’s Encase, and Microsoft’s Windows Computer Forensics Tool, can be used to collect and analyze data from the computer.

Endpoint security tools, such as Carbon Black’s Continuous Security Investigation and Response (CSIR) and Symantec’s Endpoint Protection can be used to collect and analyze data from the endpoint.

Log management tools, such as Splunk, Loggly, Sumo Logic, and Microsoft’s Operations Management Suite, can be used to collect and analyze data from network devices and computers.

What are the common methods used to detect ransomware?

  • Live analysis is the process of examining a computer system while it is still running. This can be done by booting the system from a live CD or USB drive, or by connecting to the system over the network. Live analysis can be used to examine volatile data that would otherwise be lost when the system is shut down.

  • Registry analysis is the process of examining the Windows Registry for evidence of criminal activity or system problems. The Registry is a database that stores information about all aspects of a Windows system, including installed programs, user accounts, and network settings. Registry analysis can be performed manually or by using a tool such as Regedit

  • File carving is the process of recovering files from unallocated space on a hard drive. This can be done manually by examining the raw data on the drive, or by using a tool such as FTK Imager or EnCase. File carving can be used to recover deleted files or files that have been overwritten.

We will cover a more in-depth analysis of the Registry level, process level, and file level analysis in our next article.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.