Digital forensic readiness framework for ransomware investigation

Abstract

Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.