Six methods for extracting data from encrypted virtual disks.

In the field of cybersecurity, recovering data from encrypted virtual disks has become a crucial task for incident response teams. This article presents six effective methods and readily available tools for extracting information from locked virtual machines, offering valuable solutions in critical situations.

Importance of Data Recovery in Cyber Incidents

Extracting data from encrypted virtual disks can be crucial for retrieving valuable customer information, reconstructing compromised virtualized infrastructures, and enriching the timeline of an incident investigation. These techniques have proven effective in investigations related to ransomware groups like LockBit, Faust/Phobos, Rhysida, and Akira.

Limitations and Recommendations

It is important to note that the results of these methods are not guaranteed. The success rate varies, and while valuable forensic data has been extracted, fully recovering production systems such as databases is less likely. It is highly recommended to attempt these methods on working copies to avoid further damage.

Data Extraction Methods

Below are described six methods for extracting data from encrypted virtual disks, with details on the necessary tools and additional considerations.

1. Mounting the Drive

Before assuming a disk is fully encrypted, attempting to mount it should be done. Sometimes, cybercriminals only change file extensions without fully encrypting them. If the method works, necessary files can be accessed and copied. Recommended tools include 7-Zip and FTK.

2. RecuperaBit

RecuperaBit, created by Andrea Lazzarotto, is an automated tool that reconstructs NTFS partitions found on the encrypted disk. It works with python3 and can provide results in about 20 minutes. It is ideal for recovering folder structures and files, though it may trigger endpoint protection detections.

3. Bulk_extractor

Bulk_extractor is a free tool for Windows and Linux that recovers system and multimedia files. It can be configured to focus on specific file types, speeding up the analysis. It is recommended to use it in a sandbox environment to avoid endpoint protection detections.

4. EVTXtract

EVTXtract searches and recovers complete or partial .evtx files on encrypted disks. It exclusively works on Linux and converts the results to XML, which may require additional processing for ease of analysis.

5. Scalpel and Foremost

Scalpel and Foremost are free file recovery tools, especially useful for recovering documents and multimedia files. Both allow for modifying the configuration file to focus on specific file types. It is recommended to use them in a sandbox environment.

6. Manual NTFS Partition Carving

Manual carving, using the dd tool in Linux, requires precise calculations and preparation. This method involves extracting intact NTFS partitions and creating new files from them. Although laborious, it can be very effective in recovering valuable data.

Additional Considerations

When choosing the appropriate method, factors such as file size, available tools, time, storage, and client priorities should be considered. The business need to recover data also plays a crucial role in the decision.

Conclusion

While these methods do not guarantee results, they can be crucial in recovering encrypted data during a cyber incident. The decision to continue or abandon the process should be based on a careful assessment of the specific needs and circumstances of each case.

Reference: OpenSecurity and Sophos blog.

Scroll to Top