{"id":24489,"date":"2024-05-13T03:21:06","date_gmt":"2024-05-13T11:21:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/05\/13\/news-18219\/"},"modified":"2024-05-13T03:21:06","modified_gmt":"2024-05-13T11:21:06","slug":"news-18219","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/05\/13\/news-18219\/","title":{"rendered":"Extracting data from encrypted virtual disks: six methods"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Mon, 13 May 2024 08:30:24 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>This article explains various techniques and readily available tools for extracting data from an encrypted virtual disk. For incident-response situations in which the entire virtual disk has been encrypted, these tools and techniques may \u2013 <em><u>may<\/u><\/em> \u2013 enable the investigating team to retrieve data from the encrypted system.<\/p>\n<p>Efforts to extract data from encrypted virtual disks can potentially lead to multiple positive outcomes: recovering customer data that is irretrievable via standard methods, helping rebuild virtualized customer infrastructure that has been compromised, and \/ or enriching an incident investigation timeline. So far, we\u2019ve used these techniques successfully in DFIR investigations involving the LockBit, Faust \/ Phobos, Rhysida, and Akira ransomware groups.<\/p>\n<p>We\u2019ll say this at the beginning of the article and we\u2019ll say it again at the end: Results are not guaranteed. No data-extraction method in existence is certain to yield full data from an encrypted VM. We will also highlight that while these methods have seen quite a high success rate in extracting forensic data that is valuable for the investigation (such as event logs, registry forensics, and the like), the success rate of retrieving data that can be used as part of the recovery process of production systems, such as databases, is much lower.<\/p>\n<p><strong>We strongly recommend that any recovery attempts should be conducted on \u201cworking copies\u201d and not the originals, lest the attempts cause unintended further damage to the devices.<\/strong><\/p>\n<p>In the next section we\u2019ll discuss in which situations retrieval may be possible and to what extent. After that, we\u2019ll list some factors to take into consideration as you select which methods you\u2019ll attempt. Finally, we\u2019ll look at each method, listing the prerequisites (the tools required to attempt the method; all are required) and flagging other considerations. In the discussion of the most labor-intensive method, we\u2019ll walk through the details of the process. In this article, references to \u201cvirtual disks,\u201d \u201cVM\u2019s,\u201d or \u201cdisk images\u201d all refer to the same thing and can be any image of a disk such as VHD, VHDX, VMDK, RAW, and so on. All six techniques apply to Windows; a few also may work on Linux, and we\u2019ll note those in each case.<\/p>\n<h3><strong>What is file \/ disk encryption?<\/strong><\/h3>\n<p>When ransomware encrypts a virtual disk (or any file), the data has been essentially randomized, rendering the file unreadable by the operating system. The most well-known method of decrypting a file (returning the file to its original, readable state) is via a decryptor, a software tool or program designed to reverse the process of encryption, making encrypted files readable again.<\/p>\n<p>In ransomware attacks, the decryptor is created and controlled by the threat actor. In those situations, unless the ransom is paid or the decryptor becomes publicly available, other methods of data recovery must be considered.<\/p>\n<p>Ransomware binaries prioritize speed over thorough encryption. Encrypting entire files would be too time-consuming, so the attackers aim to inflict maximum damage swiftly, minimizing the window for intervention. Consequently, while smaller files like documents are usually fully encrypted, larger ones such as virtual disks may have significant portions left unencrypted. This provides investigators with opportunities to employ diverse techniques for extracting information from these virtual disks.<\/p>\n<h3><strong>Which method to use: Considerations<\/strong><\/h3>\n<p>There are multiple methods that can be used when looking to extract data from an encrypted Windows VM. (A few of these techniques are applicable to Linux recovery attempts as well, and we\u2019ll indicate those.) In this article we will cover six:<\/p>\n<ul>\n<li>Method 1: Mounting the drive<\/li>\n<li>Method 2: RecuperaBit<\/li>\n<li>Method 3: bulk_extractor<\/li>\n<li>Method 4: EVTXparser<\/li>\n<li>Method 5: Scalpel, Foremost, and other file-recovery tools<\/li>\n<li>Method 6: Manual carving of the NTFS partition<\/li>\n<\/ul>\n<p>Which to try first? The following six considerations may help you in deciding which method is appropriate.<\/p>\n<p><strong>File size<\/strong><br \/> Experience has shown that the larger the size of the virtual disk, the greater the chance of successful recovery. For Windows machines, this is largely because most VMs will have multiple partitions, usually three &#8212; recovery, boot, and the C: (user-visible) partition. (For this article, let\u2019s assume the drive is mapped to the usual C:.) The first two partitions hold little data of use for an incident investigation, but because encryption commonly encrypts the first few bytes of the VM, only these partitions end up encrypted.<\/p>\n<p>This, therefore, often leaves the C: partition, where customer data and potential forensic data is housed, untouched. This can help investigators to rebuild a compromised virtual device and enrich an incident investigation.<\/p>\n<p>Conversely, if the VM file is relatively small, the likelihood of recovering data is lessened. However, there still may be an opportunity to harvest event logs or registry hives.<\/p>\n<p><strong>Tools<\/strong><br \/> As with any other problem in incident response, there exist multiple methods and tools for tackling the same issue. Some tools may perform better than others depending on the type of encryption. It is worth trying multiple tools to get the result you need if your first attempt fails or only partially works.<\/p>\n<p>It is also important to note that tools do stop getting updated and \/ or supported, so consider looking for additional tools not mentioned in this guide. The tools that we are using are third-party tools, or in some cases tools that are already part of Windows or Linux (this includes Windows Subsystem for Linux [WSL]). Throughout this article and in our everyday investigations, we acknowledge the great contribution the creators of those tools have made to defense efforts, especially in those cases in which the tools were not designed with encryption in mind.<\/p>\n<p><strong>Time<\/strong><br \/> The time available to complete the task is something worth considering; the hardware \/ equipment you have available may play a part in this. For instance, manual carving (Method 6) is one available option, but this can take a long time; specifically, it can require a lot of processor power, which could slow down your device during the process. This could lead to you not being able to use the device you are using for forensic examination for other daily duties whilst this process completes. (Because of this, if it is not time-sensitive, we recommend you start the manual carving process towards the end of the working day and leave your device running overnight.) Different solutions take varying amounts of time and this needs to be considered.<\/p>\n<p><strong>Storage<\/strong><br \/> Available storage space should be factored into your decision. Manual carving, for instance, can require quite a bit of storage space, as it will recreate a copy of the file; in other words, if you are trying to recover a 1TB virtual hard disk, you may well need at least another 1TB for the results. This is also true with some of the file recovery tools (Method 5), particularly if the master file table (MFT) is corrupt, since in that situation the tool could \u201crecover\u201d huge files that do not actually exist.<\/p>\n<p><strong>File types and priorities<\/strong><br \/> Clients occasionally ask us to recover specific files (particularly Word documents and PDFs), as they are not interested in anything else. If that is the case, and you do not need any further data for the investigation as all the TTPs have been accounted for, it may be more useful for you to run an automated media file recovery tool over the VM, rather than doing a full recovery of the whole disk.<\/p>\n<p><strong>Need <\/strong><br \/> In a related vein, the enterprise\u2019s need to recover the data should be weighed in recovery decisions. For example, if the business plans to rebuild the device, they have a working backup of the data, and it\u2019s not crucial to the investigation, what is to be gained by recovering data from it? Does it need to happen? (Probably not.) A clear understanding of the business need for recovery of <em>this specific VM<\/em> leads to better allocation of precious incident-response resources.<\/p>\n<h2><strong>Methods of extraction: Six techniques<\/strong><\/h2>\n<p>The methods below cover multiple ways of attempting to extract data from a virtual machine. This is not an exhaustive list, since new methods and tools are being developed all the time; researching newer techniques and or tools is always encouraged, and we ourselves will likely update this article as we add techniques to our own repertoire. With such a variety of options available, familiarizing yourself with the basics of each of these, then applying that knowledge to the considerations listed above, is likely the best approach \u2013 and one that gets easier with experience and practice.<\/p>\n<p>All that said, though the list that follows is not in a strict order, we suggest that Method 1 should be the first step in any attempted recovery, for reasons that will be clear.<\/p>\n<h3><strong>Method 1: \u00a0Just mount it<\/strong><\/h3>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955199 alignleft\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-01.png\" alt=\"A callout box with the following text: Prerequisites for mounting the drive A Windows OS version that has the native Windows mounting tool Third-party mounting tools Imaging tools such as FTK Archiving tool such as 7-Zip Applicability: Windows, Linux\" width=\"320\" height=\"274\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-01.png 320w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-01.png?resize=300,257 300w\" sizes=\"auto, (max-width: 320px) 100vw, 320px\" \/><\/a>Just because you have been told that the VM is encrypted doesn\u2019t necessarily mean that it is. (Yes, cybercriminals sometimes lie.) We have encountered clients who have mistakenly thought their files were encrypted when, in fact, the attacker had simply changed the file extensions. In addition, we have seen instances where attackers\u2019 encryption processes have failed and actually just renamed the file.<\/p>\n<p>Always try this method first as it just might work &#8212; and save a lot of time. If it doesn\u2019t succeed, you\u2019ll have lost little time and have done nothing to impede other methods of retrieval. If, on the other hand, the method succeeds and the drive does mount, you can then access the file(s) and copy and paste from them as desired. In addition, because you are simply mounting the VM, endpoint protection (that is, antimalware \/ antivirus packages) should not detect or remove any malicious files. This will be useful if you plan to collect samples for labs submission. Some tips for success with this method:<\/p>\n<ul>\n<li>Try the 7-Zip GUI archiver; we have had a lot of success with 7-Zip in this situation<\/li>\n<li>Mount the drive<\/li>\n<li>If that\u2019s not working, try FTK or any other third-party mounting tool<\/li>\n<\/ul>\n<h3><strong>Method 2:\u00a0 RecuperaBit<\/strong><\/h3>\n<p><a href=\"https:\/\/github.com\/Lazza\/RecuperaBit\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-955200\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-02.png\" alt=\"A callout box with the following text: Prerequisites for using RecuperaBit RecupraBit downloaded from GitHub Python installed on OS of choice Available storage that is equivalent in size to the VM A \u2018sandboxed\u2019 environment \/ separate device \/ VM working environment, to avoid potential endpoint-protection detections Applicability: Windows, Linux\" width=\"323\" height=\"349\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-02.png 323w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-02.png?resize=278,300 278w\" sizes=\"auto, (max-width: 323px) 100vw, 323px\" \/><\/a>RecuperaBit, created by Andrea Lazzarotto, is an automated tool that will rebuild any NTFS partitions that it can find in the encrypted VM. If it can find an NTFS partition, it will re-create the folder structure of that partition on the device being used for examination. If successful, you can then access the file(s) and copy and paste from them as desired from the newly created directory\/folder structure.<\/p>\n<p>It is a python script, so it will work on any OS that supports python3. It\u2019s easy to use, and only a few options are needed to get it to rebuild the encrypted VM. Experience has shown that, on average, you should get a &#8216;yes&#8217; or &#8216;no&#8217; as to whether it can rebuild anything of use within about 20 minutes. After that, if it can manage the rebuild, it will take approximately another 20 minutes to recreate the partition for you.<\/p>\n<p>It&#8217;s important to know that running RecuperaBit will likely set off endpoint-protection detections if ransom.exe or other malicious files are present. For this reason, if you choose to use RecuperaBit in situations where you hope to recover that executable for further analaysis you should run it in an environment where endpoint protections can be safely disabled &#8212; hence the prerequisite of a sandbox.<\/p>\n<p>At the time of this writing, RecuperaBit can be <a href=\"https:\/\/github.com\/Lazza\/RecuperaBit\">downloaded<\/a> from GitHub. There is a user guide on the GitHub page for the tool.<\/p>\n<h3><strong>Method 3: bulk_extractor<\/strong><\/h3>\n<p><a href=\"https:\/\/www.kali.org\/tools\/bulk-extractor\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-955201\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-03.png\" alt=\"Callout box with following text: Prerequisites for using bulk_extractor bulk_extractor downloaded for Windows or Linux A Linux device \/ WSL\/ working VM, if the Linux binary is to be used A \u2018sandboxed\u2019 environment \/ separate device \/ VM working environment, to avoid potential endpoint-protection detections Applicability: Windows, Linux\" width=\"323\" height=\"335\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-03.png 323w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-03.png?resize=289,300 289w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-03.png?resize=32,32 32w\" sizes=\"auto, (max-width: 323px) 100vw, 323px\" \/><\/a>Bulk_extractor (called bulk-extractor on <a href=\"https:\/\/www.kali.org\/tools\/bulk-extractor\">its kali.org page<\/a>, but the same program in either case) is a free tool that runs on Windows or Linux. It was created by Simson Garfinkel. It can recover system files such as Windows event logs (.EVTX) as well as media files. This tool is automated, so the investigator can start it and let it run, perhaps after hours, in hope it will recover something.<\/p>\n<p>It is possible to configure it for specific file types or other artifacts by altering its config file. This can be very useful to speed analysis up in scenarios where you\u2019re hoping for quick, focused, or specific results &#8212; for example, EVTX files only &#8212; rather than trying to recover the whole of the partition.<\/p>\n<p>As with RecuperaBit in Method 2, running bulk_extractor will likely set off endpoint-protection detections if ransom.exe or other malicious files are present. For this reason, if you choose to use bulk_extractor in situations where you hope to recover that executable for labs submission or similar analysis, you should run it in an environment where endpoint protections can be safely disabled &#8212; hence the above prerequisite of a sandbox.<\/p>\n<p>At the time of this writing, bulk_extractor for Linux can be downloaded from <a href=\"https:\/\/www.kali.org\/tools\/bulk-extractor\">GitHub<\/a>. There is a user guide on the GitHub page for the tool.<\/p>\n<h3><strong>Method 4 : EVTXtract<\/strong><\/h3>\n<p><a href=\"https:\/\/github.com\/williballenthin\/EVTXtract\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-955202\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-04.png\" alt=\"Callout box with following text: Prerequisites for using EVTXtract EVTXtract downloaded from GitHub (click here for link) A Linux device \/ WSL \/ working VM Applicability: Windows\" width=\"322\" height=\"211\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-04.png 322w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-04.png?resize=300,197 300w\" sizes=\"auto, (max-width: 322px) 100vw, 322px\" \/><\/a>This specialized tool searches a block of data (in this case, an encrypted VM) for complete or partial .evtx files. If it finds any, the tool pulls them back into their original structure, which is XML. This is an automated tool that is built to run on Linux only.<\/p>\n<p>XML files are notoriously difficult to work with. In this case, the file will consist of incorrectly embedded EVTX fragments, so expect the output to be a bit unwieldly. To make it easier to review this tool\u2019s output, you will\u00a0have to massage the data. A couple of suggestions for doing this effectively:<\/p>\n<ul>\n<li>Attempt to convert the file to CSV format for easier viewing<\/li>\n<li>Use the grep command to get the outcome for YYYY-DD-MM (or any other date formats), event-IDs, keywords, or known IoCS indicating activity on the day of interest<\/li>\n<\/ul>\n<p>Please note that this tool, just as the name indicates, recovers EVTX files or fragments only. If you are seeking other artifacts, you will need to use a different tool.<\/p>\n<p>At the time of this writing, EVTXtract can be downloaded from <a href=\"https:\/\/github.com\/williballenthin\/EVTXtract\">GitHub<\/a>. There is a user guide on the GitHub page for the tool.<\/p>\n<h3><strong>Method 5 : Scalpel, Foremost, or other file-recovery tools<\/strong><\/h3>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-05.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-955203\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-05.png\" alt=\"Callout box with following text: Prerequisites for using Scalpel or Foremost Copy of Scalpel or Foremost (download links in article) A Linux device \/ WSL \/ working VM A sandboxed environment \/ separate device \/ VM working environment to avoid potential endpoint-protection detections Applicability: Windows, Linux\" width=\"322\" height=\"303\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-05.png 322w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-05.png?resize=300,282 300w\" sizes=\"auto, (max-width: 322px) 100vw, 322px\" \/><\/a>Turning our attention from EVTX-recovery tools to those designed to restore other types of files, Scalpel and Foremost are two of many free file recovery tools currently available. Though both are older tech, the Sophos IR team has had excellent results with these two in our investigations.<\/p>\n<p>The original version of Scalpel, released in 2005, was based on Foremost, and the two carving and indexing applications are similar in approach. Both mainly recover media and document files, which makes them useful if your investigation is seeking documents, PDFs, or the like. For either one, the config file can be modified to focus on specific file types, or be left alone for a fuller (though slower) catch-all effort.<\/p>\n<p>As mentioned, neither of these programs retrieves system files; other tools will be needed for that work. In addition, files recovered from these may kick off endpoint-protection detections if any malicious files are present (for instance, malicious PDFs from a phishing campaign). For this reason we recommend that investigators run these tools in a sandbox environment, where endpoint protection can be disabled, if such files must be preserved for the investigation.<\/p>\n<p>As noted above, both these programs are older technology, which means that recovery of newer filetypes may not be feasible with these tools. Other tools exist, and the reader is invited to investigate those, but as easily available options these are both solid performers.<\/p>\n<p>Foremost can be <a href=\"https:\/\/github.com\/gerryamurphy\/Foremost\">downloaded<\/a> from GitHub, and there is a user guide on the GitHub page for the tool. It was originally developed by the US Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research. The version on GitHub does not appear to be actively maintained.<\/p>\n<p>Likewise, at the time of this writing, Scalpel can be <a href=\"https:\/\/github.com\/sleuthkit\/scalpel\">downloaded<\/a> from GitHub. There is a user guide on the GitHub page for the tool. As stated on its GitHub page, this tool is not actively maintained.<\/p>\n<h3><strong>Method 6 : Manual carving of the NTFS partition<\/strong><\/h3>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-06.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-955204\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-06.png\" alt=\"Callout box with following text: Prerequisites for manual carving of the NTFS partition A Linux device \/ WSL \/ working VM A hex editor such as HxD or xxd A version of the Windows OS that has the native window mounting tool Third-party mounting tools Imaging tools such as FTK Archiving tool such as 7-Zip Available storage that is equivalent in size to the VM Applicability: Windows\" width=\"323\" height=\"345\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-06.png 323w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-callout-06.png?resize=281,300 281w\" sizes=\"auto, (max-width: 323px) 100vw, 323px\" \/><\/a>In contrast to the tools and techniques summarized above, manual carving takes preparation and some finer understanding of the options available to you. We\u2019ll make some recommendations for how to plan your effort, and then walk you through the specifics of working with dd, the powerful Linux utility you\u2019ll use for this work.<\/p>\n<p>(Some background: DD originally stood for \u201cdata definition\u201d and is truly one of computing\u2019s Elder Gods; it celebrates its 50<sup>th<\/sup> anniversary of existence in June 2024. New dd users are warned that typos can be catastrophic in this utility, earning it its alternate name of \u201cdisk destroyer\u201d; it has been described as \u201ca Swiss Army knife, but one that\u2019s all blades and no handle.\u201d It is recommended that investigators familiarize themselves with <a href=\"https:\/\/blog.kubesimplify.com\/the-complete-guide-to-the-dd-command-in-linux\">dd basics<\/a> before proceeding. We also suggest typing the dd command into a text editor, making sure everything is correct, and then copying and pasting the command at the command line.)<\/p>\n<p>Proper manual carving requires that investigators set three switches in dd prior to running the utility \u2013 bs (bytes per sector), skip (the offset value of the NTFS sector you aim to recreate), and count (the size of the sector). These calculations aren\u2019t necessarily difficult, but they do take time and they are not optional. This section walks you through the steps for calculating all three.<\/p>\n<p>In addition, the processing itself is rather slow, potentially taking hours to complete correctly. (As mentioned above, we generally recommend you start the manual carving process at the end of the working day and leave your device running overnight.) With some practice, however, the calculation of the switch values may take the investigator only a few minutes &#8212; and if you calculate the size of the partition you are going to carve <em>before<\/em> attempting to carve the partition, you reduce the likelihood of wasting time and processing power. So do that.<\/p>\n<p>Note finally that this process is space-intensive, likely taking up the same amount of space the VM itself does, since you are essentially copying the VM. For example, if you\u2019re working with a 100GB VM file, you\u2019ll need another 100GB plus space in which to extract the files you want.<\/p>\n<p>The process has four main steps:<\/p>\n<ol>\n<li>Analyze the encrypted VM for available NTFS partitions<\/li>\n<li>Carve the largest NTFS partition out and into a new file<\/li>\n<li>If the newly created file is intact enough, mount it in Windows<\/li>\n<li>Extract the artifacts you need<\/li>\n<\/ol>\n<p>The utility that does the copying, dd, is built into Linux. The command is as follows:<\/p>\n<pre>sudo dd if= *** of=***.img bs=*** skip=*** count=*** status=progress<\/pre>\n<p>Again \u2013 and this cannot be emphasized enough \u2013 dd is entirely unforgiving of typos. Proceed with caution. The command and its switches may be understood as follows:<\/p>\n<p><em>sudo<\/em> = User needs to have highest privileges for this tool<\/p>\n<p><em>dd<\/em> = The utility itself<\/p>\n<p><em>if <\/em>= Stands for \u2018input file\u2019 &#8212; this value is the path and file name of the encrypted VM<\/p>\n<p><em>of<\/em> = Stands for \u2018output file\u2019 &#8212; this is the name of the recreated partition. Suggested file extension is <em>newfilename<\/em><em>.<\/em>img<\/p>\n<p><em>bs<\/em> = The bytes per sector of the partition you are carving out; this value <em><u>must<\/u><\/em> be entered in bytes<\/p>\n<p><em>skip<\/em> = The offset value, in <em><u>sectors<\/u><\/em>, of the NTFS partition you are carving out, from the start of the disk \/ VM file<\/p>\n<p><em>count<\/em> = The size of the partition, in <em><u>sectors<\/u><\/em>, of the NTFS partition you are carving out<\/p>\n<p><em>status <\/em>= An optional switch to display a progress bar, to see how many bytes have been duplicated<\/p>\n<p>As mentioned above, there are three values you must calculate and provide for the switches in this command: bs, skip, and count. The easiest way to work these values out is to use a GUI hex editor such as Ma\u00ebl H\u00f6rz\u2019s <a href=\"https:\/\/mh-nexus.de\/en\/hxd\/\">HxD<\/a> (which is Windows freeware), but a command-line tool such as xxd will work if preferred. The screen captures below show the steps using HxD.<\/p>\n<h4><strong>Switches: Gathering the basic values\u00a0<\/strong><\/h4>\n<p>Start HxD and load in the encrypted VM file. Click the Offset column at the far left to change it to show values in decimal (base10). In HxD this is denoted by the letter D in brackets, as shown in Figure 1.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955205 alignnone\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-01.png\" alt=\"Screen capture of offset values displayed as base10 numbers\" width=\"624\" height=\"90\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-01.png 624w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-01.png?resize=300,43 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<p><em>Figure 1: The offset values are now displayed in decimal numbers<\/em><\/p>\n<p>Next, open Data inspector from the View dropdown, as shown in Figure 2.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-955206 alignnone\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-02.png\" alt=\"Screen capture showing an HxD menu\" width=\"319\" height=\"258\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-02.png 319w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-02.png?resize=300,243 300w\" sizes=\"auto, (max-width: 319px) 100vw, 319px\" \/><\/a><\/p>\n<p><em>Figure 2: The View dropdown in HxD with the Data inspector option selected<\/em><\/p>\n<p>Now find the potential NTFS partitions. Highlight the very top left byte, then use the search function to search for the following hexadecimal string &#8212; as opposed to a decimal string or a text string, if such options are available.<\/p>\n<pre style=\"margin-left: 36.0pt\">EB 52 90 4E 54 46 53 20 20 20 20<\/pre>\n<p>Pay attention to which tab is open in the Find box, as shown in Figure 3.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-03.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955207\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-03.png\" alt=\"Screen capture showing a search box with the hex string given above\" width=\"449\" height=\"305\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-03.png 449w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-03.png?resize=300,204 300w\" sizes=\"auto, (max-width: 449px) 100vw, 449px\" \/><\/a><\/p>\n<p><em>Figure 3: Seeking the hex string that indicates the start of an NTFS sector<\/em><\/p>\n<p>The above hexadecimal string is the \u2018signature byte\u2019 of a NTFS partition, so this search will find any potential NTFS partitions that you can carve out. There will likely be many presented in a list, as shown in Figure 4.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-04.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955212\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-04.png\" alt=\"Screen capture showing nine potential NTFS partitions that the search found\" width=\"640\" height=\"153\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-04.png 970w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-04.png?resize=300,72 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-04.png?resize=768,184 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: A fruitful search for potentially salvageable NTFS partitions<\/em><\/p>\n<p>When you select one of these results, you will be presented with the header of the NTFS partition in the hex viewer window, as shown in Figure 5.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-05.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955213\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-05.png\" alt=\"Screen capture showing the NTFS header, which will be discussed below\" width=\"640\" height=\"264\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-05.png 978w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-05.png?resize=300,124 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-picture-05.png?resize=768,317 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 5: The header is shown above the selected NTFS partition<\/em><\/p>\n<p>The header contains the basic information you need for the bs, skip, and count values required in the dd command. Next, we\u2019ll explain how to calculate those three values. You\u2019ll want to do these in order.<\/p>\n<h4><strong>\u00a0<\/strong><strong>To calculate the bs (bytes per sector) value<\/strong><\/h4>\n<p>Working from the start of the NTFS partition you have selected, highlight the bytes at offset 11 and 12, as shown in Figure 6. The value shown as Int16 in the data inspector is the value needed. In this example, the bs value is 512. (This value will almost always be 512. Almost.)<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-06.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955208\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-06.png\" alt=\"Screen capture showing the Int16 value highlighted in Data Inspector\" width=\"640\" height=\"76\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-06.png 1047w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-06.png?resize=300,36 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-06.png?resize=768,92 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-06.png?resize=1024,122 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: The bytes for the bs value are highlighted, and the data inspector shows that the value is indeed 512 <\/em><\/p>\n<h4><strong>To calculate the skip value<\/strong><\/h4>\n<p>Now that you have the bs value, calculate the skip value by dividing the header offset value by the bs value. This calculation provides the sector value of where the NTFS partition starts.<\/p>\n<p>For instance, the header offset decimal value for the NTFS partition highlighted in Figure 7 is 00576716800. (So we\u2019re clear, the following screen captures are not from the same partition as the one in the screen captures shown above. As predicted above, though, you can see that the bs value for this NTFS partition &#8212; the bytes at offsets 11 and 12 &#8212; is once again 512. )<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-07.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955209\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-07.png\" alt=\"Screen capture highlighting the base10 offset value to be divided by the bs value to get the skip value\" width=\"640\" height=\"76\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-07.png 997w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-07.png?resize=300,36 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-07.png?resize=768,92 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: The header offset value is shown in the green box<\/em><\/p>\n<p>In order to calculate the skip value, divide that value by the bs value (that is, 512). In other words, do the following:<\/p>\n<p>576716800 \/ 512 = 1126400<\/p>\n<p>1126400 is the skip value.<\/p>\n<h4><strong>To calculate the count value<\/strong><\/h4>\n<p>Locate and highlight the eight bytes that start at the 41<sup>st<\/sup> byte from the start of the NTFS header. To find this value, in the screen below, go down two rows from the first (EB) byte of the header, go across to the 08 column, and highlight the following eight bytes, \u00a0as shown in Figure 8.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-08.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955210\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-08.png\" alt=\"Screen capture showing the Int64 count value\" width=\"624\" height=\"187\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-08.png 624w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-08.png?resize=300,90 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<p><em>Figure 8: Finding the count value (highlighted) \u00a0<\/em><\/p>\n<p>Highlight the next eight bytes, all the way to column 15, as shown (so, bytes 41-48). The value that is shown in INT64 in the data interpreter is the count value \u2013 in the figure above, 1995745279. This value is in sectors, and the above command needs it in sectors, so no conversion is needed \u2013 note the value and you\u2019re done.<\/p>\n<h4><strong>Which partition to choose?<\/strong><\/h4>\n<p>We said above that you should choose the largest available partition to carve out. The count value indicates how large the partition is. If the partition is only a few sectors in size, it is likely not worth carving out. To increase the chances of successfully carving out the C: drive, the best approach would be to find the largest partition in the initial list of NTFS partitions and carve that one out.<\/p>\n<p>The largest partition should be approximately the same size as the overall VM file. However, the VM file size is shown in bytes, whereas the NTFS size is shown in total sectors. To compare them, you\u2019ll convert the sector size of the partition into bytes to compare.<\/p>\n<p>In order to convert the sector size of the partition into bytes, multiply the sector size (as shown in the data interpreter) by the bs value. So, using the numbers we found in the above examples:<\/p>\n<p>1995745279 x 512 = 1021821582848 bytes (951.64 GB)<\/p>\n<h4><strong>Ready, set\u2026<\/strong><\/h4>\n<p>You now have the three values you require to use the dd utility. Enter the needed values into the dd command, paste the command into dd itself if you followed our advice to do all this in a text editor, hit Enter, and dd will carve out the chosen NTFS partition.<\/p>\n<p>When completed, mount the new file that you just carved. You should then be able to recover what you need. If the drive does not mount, try 7-Zip (or other archiving tools), other mounting tools, or FTK.<\/p>\n<p>To recap, Figure 9 shows an annotated diagram of the NTFS header and where the values are located.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-09.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-955211\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-09.png\" alt=\"Screen capture showing all the parts of the NTFS header we just covered\" width=\"611\" height=\"252\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-09.png 611w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/vm-figure-09.png?resize=300,124 300w\" sizes=\"auto, (max-width: 611px) 100vw, 611px\" \/><\/a><\/p>\n<p><em>Figure 9: A colorful look at an NTFS header (count value is marked as \u201ctotal sectors in file system\u201d) <\/em><\/p>\n<h3><strong>Conclusion<\/strong><\/h3>\n<p>Once more, we caution the reader that results are not guaranteed; the best method of retrieving data encrypted in an attack is to pull a copy from a clean, unaffected backup. However, these methods may help the investigating team claw back data in situations where there\u2019s no other choice.<\/p>\n<p>When is it time to give up? Sadly, data cannot always be recovered fully, in part, or even at all. Expect results to vary, sometimes for no reason that can be determined. It\u2019s up to you, in consultation with the business stakeholder, to decide when to walk away from the process.<\/p>\n<h3><strong>Acknowledgements<\/strong><\/h3>\n<p>The authors wish to thank the creators of the software mentioned above. The editor wishes to thank Jonathan Espenschied for the Swiss-Army-knife-with-no-handle description of dd. Some information in this article was originally <a href=\"https:\/\/www.youtube.com\/watch?v=5c7I0klpwEY\">presented<\/a> as part of CyberUK in May 2024.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/05\/13\/extract-data-from-encrypted-vms\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/05\/shutterstock_1009079662-1.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Mon, 13 May 2024 08:30:24 +0000<\/strong><\/p>\n<p>For incident responders, a variety of techniques for information retrieval from locked-up VMs<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[31364,31365,10439,129,12657,25038,3765,24552,16771,14268],"class_list":["post-24489","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-data-extraction","tag-dfir","tag-encryption","tag-featured","tag-incident-response","tag-mdr","tag-ransomware","tag-security-operations","tag-threat-research","tag-virtual-machine"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24489"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24489\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}