A recent case related to ransomware virus, evidence is a desktop, running Windows 7 64bit operating system, commissioned by a high-tech company, hope to be able to investigate the occurrence of the critical point of time, the source and route of infection, malicious program file name and other related information.
After the image of the bluff computer is made, the investigation can be carried out. It is not so convoluted to "turn on" The exhibit image file with real software (such as VFC3 or live View). Just bluff the objective like file generation Snapshot (snapshot), and then turn it on with virtual software such as VMware Workstation. The effect is like an evidence computer in front of the start of the general, you can conduct dynamic analysis.
Maybe someone would ask, "wouldn't that destroy the evidence???" In fact, in the process of analysis, even if the deletion of any files or even modify the content, the impact is limited to this snapshot, bluff objectives like files have no effect. So, even if the snapshot is problematic or if you want to perform the analysis test again, simply re-bluff the objective image file to generate a snapshot.
The first is to master the timeline (Timeline), which in this case is particularly heavy "causality", is the critical time of the infection before the point at which the file is encrypted. Based on the user's activity status, the following findings are found.
Users are using Internet Explorer to visit pornographic websites, because they click on the ads to trigger the infection, and then even to the end c&c host Download the main program, the generated location is the user's personal account of the Temp folder. The file name is A.exe, of course, not the filename is necessarily A.exe, Just in this case, it is not convenient to say which pornographic website is specific.
Perhaps you will ask, how can I be sure that A.exe must be ransomware virus??? Of course, this is a proven result, forensic analysis is not as good as you want to convoluted, the truth is that it can be scientifically verified. Here is what I have measured for this malicious program A.exe the analysis platform.
This cerber can still talk Oh ~ Once encryption is complete, the voice informs you that the file has been encrypted ... In particular, it will be executed vssadmin will restore the point of full destruction, and finally chance do not leave ...
Would "speak" of the ransomware virus Cerber