Digital Forensics and Cyber Crime. 10th International EAI Conference, ICDF2C 2018, New Orleans, LA, USA, September 10–12, 2018, Proceedings

Research Article

Digital Forensic Readiness Framework for Ransomware Investigation

Download
1026 downloads
  • @INPROCEEDINGS{10.1007/978-3-030-05487-8_5,
        author={Avinash Singh and Adeyemi Ikuesan and Hein Venter},
        title={Digital Forensic Readiness Framework for Ransomware Investigation},
        proceedings={Digital Forensics and Cyber Crime. 10th International EAI Conference, ICDF2C 2018, New Orleans, LA, USA, September 10--12, 2018, Proceedings},
        proceedings_a={ICDF2C},
        year={2019},
        month={1},
        keywords={Windows forensics Digital forensic readiness Ransomware forensics Memory Registry Investigation},
        doi={10.1007/978-3-030-05487-8_5}
    }
    
  • Avinash Singh
    Adeyemi Ikuesan
    Hein Venter
    Year: 2019
    Digital Forensic Readiness Framework for Ransomware Investigation
    ICDF2C
    Springer
    DOI: 10.1007/978-3-030-05487-8_5
Avinash Singh1,*, Adeyemi Ikuesan1,*, Hein Venter1,*
  • 1: University of Pretoria
*Contact email: asingh@cs.up.ac.za, aikuesan@cs.up.ac.za, hventer@cs.up.ac.za

Abstract

Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.