A robust intelligent readiness framework for ransomware forensics

Abstract

Ransomware attacks have become a prominent and persistent threat in the modern digital ecosystem, targeting critical systems, disrupting business operations, and inflicting significant financial and reputational damage. As attackers develop increasingly sophisticated methods to evade detection, conventional forensic approaches struggle to keep pace. Key challenges include the inability of current digital forensic investigation techniques to efficiently identify and extract relevant digital artefacts, identify the presence of redundant and irrelevant data that hinders storage optimisation, and address the lack of robust categorisation mechanisms for digital evidence. Furthermore, attackers often exploit vulnerabilities in forensic readiness, tampering with or erasing critical evidence to cover their tracks. This situation is intensified by the dynamic nature of ransomware, which continuously evolves to bypass static detection mechanisms. This adaptive and sophisticated nature of ransomware has rendered many conventional detection and forensic approaches insufficient. This thesis introduces a robust Intelligent Ransomware Readiness Framework (IRRF), a proactive, intelligence-driven model designed to address the critical gaps in ransomware, namely detection, analysis, and forensic readiness. The proposed framework leverages Artificial Intelligence (AI) to address these challenges, offering a novel, scalable and adaptive solution. The framework can identify key ransomware functions, even in cases of zero-day or previously unseen ransomware variants. In addition to ransomware detection and analysis, the IRRF emphasises secure evidence storage to support digital forensic readiness. Recognising that attackers often attempt to alter or erase forensic artefacts, the proposed model incorporates robust security measures, including integrity checks, environment sandboxing, encryption, two-factor authentication, storage optimisation, lossless compression, and deduplication of data. These measures ensure proper handling of the chain of custody, preservation of evidence integrity, and safeguarding sensitive data from unauthorised access or tampering. The machine learning detection models created in this research were able to accurately detect ransomware with a 98.33% accuracy using an optimisable weighted algorithm, while providing meaningful insight into the execution capabilities of an executable. The secure storage mechanism developed in this research also minimized storage constraints by reducing the storage required by approximately 38% making it scalable and reducing costs. Furthermore, the framework was evaluated in compliance with the ISO/IEC 27043 international standard. The prototype was evaluated based on the NIST Computer Forensic Tool Testing (CFTT) program and several software engineering techniques such as static code analysis and vulnerability scanning. The IRRF also addresses the broader challenge of balancing forensic readiness with practical applicability. By adopting artificial intelligence as a foundational element, the framework ensures scalability and adaptability to the rapidly evolving tactics of ransomware attacks. By enhancing digital forensic readiness and securing critical digital evidence, this framework contributes to advancing the state of ransomware forensics, providing organisations and security practitioners with the tools necessary to fortify their defences, respond to incidents effectively, and secure their digital assets in an ever-evolving threat landscape.