Digital Forensic Readiness Framework for Ransomware Investigation

  • Avinash SinghEmail author
  • Adeyemi R. Ikuesan
  • Hein S. Venter
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)


Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.


Windows forensics Digital forensic readiness Ransomware forensics Memory Registry Investigation 


  1. 1.
    Logen, S., Höfken, H., Schuba, M.: Simplifying RAM forensics: a GUI and extensions for the volatility framework. In: Proceedings of the 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, pp. 620–624 (2012)Google Scholar
  2. 2.
    Hargreaves, C., Chivers, H.: Recovery of encryption keys from memory using a linear scan. In: Proceedings of the 3rd International Conference on Availability, Reliability and Security, ARES 2008, pp. 1369–1376, March 2008Google Scholar
  3. 3.
    Vaughan-Nichols, S.J.: Today’s most popular operating systems (2017). Accessed 12 Apr 2018
  4. 4.
    Statista, Global market share held by the leading mobile operating systems from 2010 to 2015 (2015). Accessed 12 Apr 2018
  5. 5.
    Kaspersky, Overall Statistics for 2017, Kaspersky (2017). Accessed 4 Apr 2018
  6. 6.
    Tailor, J.P., Patel, A.D.: A comprehensive survey: ransomware attacks prevention, monitoring and damage control. Int. J. Res. Sci. Innov. 4, 2321–2705 (2017)Google Scholar
  7. 7.
    Bromium Labs, Understanding Crypto-Ransomware, p. 35 (2015).
  8. 8.
    Matt Mansfield, Cyber Security Statistics (2017). Accessed 23 Apr 2018
  9. 9.
    United States Government, How to Protecting Your Networks from Ransomware (2016). Accessed 26 Apr 2018
  10. 10.
    Damshenas, M., Dehghantanha, A., Mahmoud, R.: A survey on malware propagation, analysis and detection. Int. J. Cyber-Security Digit. Forensics 2(4), 10–29 (2013)Google Scholar
  11. 11.
    Gandotra, E., Bansal, D., Sofat, S.: Malware threat assessment using fuzzy logic paradigm. Cybern. Syst. 48(1), 29–48 (2017)CrossRefGoogle Scholar
  12. 12.
    O’Brien, D.: Internet Security Threat Report - Ransomware 2017. In: Symantec, p. 35 (2017)Google Scholar
  13. 13.
    Savage, K., Coogan, P., Lau, H.: Information resources. Res. Manag. 54(5), 59–63 (2011)Google Scholar
  14. 14.
    Stone-Gross, B., Cova, M., Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Analysis of a Botnet takeover. IEEE Secur. Priv. 9(1), 64–72 (2011)CrossRefGoogle Scholar
  15. 15.
    United States Government, How to Protecting Your Networks from Ransomware, pp. 2–8 (2016)Google Scholar
  16. 16.
    Rad, B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)Google Scholar
  17. 17.
    Campbell, S., Chan, S., Lee, J.R.: Detection of fast flux service networks. Conf. Res. Pract. Inf. Technol. Ser. 116, 57–66 (2011)Google Scholar
  18. 18.
    Spafford, E.H.: The internet worm incident. In: Ghezzi, C., McDermid, J.A. (eds.) ESEC 1989. LNCS, vol. 387, pp. 446–468. Springer, Heidelberg (1989). Scholar
  19. 19.
    Okane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011)CrossRefGoogle Scholar
  20. 20.
    Symantec, 2017 Internet Security Threat Report, Istr (2017). Accessed 27 Apr 2018
  21. 21.
    Ehrenfeld, J.M.: WannaCry, cybersecurity and health information technology: a time to act. J. Med. Syst. 41(7), 104 (2017)CrossRefGoogle Scholar
  22. 22.
    Kotov, V., Rajpal, M.S.: Understanding Crypto-Ransomware, p. 35 (2015).
  23. 23.
    Sophos, Stopping Fake Antivirus: How to Keep Scareware Off Your Network (2011)Google Scholar
  24. 24.
    Ikuesan, A.R., Venter, H.S.: Digital forensic readiness framework based on behavioral-biometrics for user attribution, vol. 1, pp. 54–59 (2017)Google Scholar
  25. 25.
    ISO 27043, International Standard ISO/IEC 27043: Information technology — Security techniques — Incident investigation principles and processes, vol. 2015 (2015)Google Scholar
  26. 26.
    Kaplan, B.: RAM is key: extracting disk encryption keys from volatile memory, p. 20 (2007)Google Scholar
  27. 27.
    Basu, A., Gandhi, J., Chang, J., Hill, M.D., Swift, M.M.: Efficient virtual memory for big memory servers. In: Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA 2013, pp. 237–248 (2013)Google Scholar
  28. 28.
    Pomeranz, H.: Detecting malware with memory forensics why memory forensics? Everything in the OS traverses RAM, pp. 1–27 (2012)Google Scholar
  29. 29.
    Olajide, F., Savage, N.: On the extraction of forensically relevant information from physical memory. In: IEEE World Congress on Internet Security, pp. 248–252 (2011)Google Scholar
  30. 30.
    Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A.: The persistence of memory: forensic identification and extraction of cryptographic keys. Digit. Investig. 6, 132–140 (2009)CrossRefGoogle Scholar
  31. 31.
    Adomavicius, G., Tuzhilin, A.: Context-aware recommender systems. In: Recommender Systems Handbook, 2nd edn., pp. 191–226 (2015)CrossRefGoogle Scholar
  32. 32.
    Hausknecht, K., Foit, D., Burić, J.: RAM data significance in digital forensics. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2015, pp. 1372–1375, May 2015Google Scholar
  33. 33.
    Patil, D.N., Meshram, B.B.: Extraction of forensic evidences from windows volatile memory. In: 2017 2nd International Conference for Convergence in Technology (I2CT), pp. 421–425 (2017)Google Scholar
  34. 34.
    Alghafli, K., Jones, A., Martin, T.: Forensic analysis of the Windows 7 registry. J. Digit. Forensics Secur. Law 5(4), 5–30 (2010)Google Scholar
  35. 35.
    Lallie, H.S., Briggs, P.J.: Windows 7 registry forensic evidence created by three popular BitTorrent clients. Digit. Investig. 7(3–4), 127–134 (2011)CrossRefGoogle Scholar
  36. 36.
    Reddy, K., Venter, H.S.: The architecture of a digital forensic readiness management system. Comput. Secur. 32, 73–89 (2013)CrossRefGoogle Scholar
  37. 37.
    Mohlala, M., Adeyemi, I.R., Venter, H.S.: User attribution based on keystroke dynamics in digital forensic readiness process. In: IEEE Conference on Applications, Information and Network Security (AINS), pp. 124–129 (2017)Google Scholar
  38. 38.
    Valjarevic, A., Venter, H.S.: Towards a digital forensic readiness framework for public key infrastructure systems. In: 2011 Information Security South Africa, pp. 1–10 (2011)Google Scholar
  39. 39.
    Kebande, V.R., Venter, H.S.: On digital forensic readiness in the cloud using a distributed agent-based solution: issues and challenges. Aust. J. Forensic Sci. 50(2), 209–238 (2018)CrossRefGoogle Scholar
  40. 40.
    Kebande, V.R., Karie, N.M., Venter, H.S.: Adding digital forensic readiness as a security component to the IoT domain. Int. J. Adv. Sci. Eng. Inf. Technol. 8(1), 1 (2018)CrossRefGoogle Scholar
  41. 41.
    Dolan-Gavitt, B.: Forensic analysis of the Windows registry in memory. Digit. Investig. 5, 26–32 (2008)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  1. 1.University of PretoriaHatfieldSouth Africa

Personalised recommendations