Knowledge Base
Essential methods for data recovery from encrypted virtual disks
This guide outlines various methods and tools available for extracting data from encrypted virtual disks. These methods can be particularly useful during incident-response situations where the entire virtual disk has been encrypted. They may enable investigators to recover data from the compromised system.
Efforts to extract data from encrypted virtual disks can result in positive outcomes, such as recovering customer data that is otherwise inaccessible, helping to rebuild compromised virtual infrastructure, and enriching an incident investigation timeline. These techniques have been successfully used in DFIR investigations involving ransomware groups like LockBit, Faust/Phobos, Rhysida, and Akira.
It is important to note that results are not guaranteed. No data-extraction method can ensure full recovery from an encrypted VM. While these techniques often have a high success rate for extracting valuable forensic data (like event logs and registry forensics), the success rate for recovering production data (like databases) is significantly lower.
We strongly advise performing recovery attempts on "working copies" rather than original disks to prevent further damage.
Before attempting data extraction, assess the following factors to determine which method to use:
Here are six methods for extracting data from encrypted virtual disks. The order is suggested based on efficiency and simplicity:
Prerequisites: Windows OS with the native Windows mounting tool, third-party mounting tools, imaging tools like FTK, and archiving tools like 7-Zip.
Applicability: Windows, Linux
Details: Even if a VM appears encrypted, it might not be. Sometimes, attackers simply change file extensions. Always try mounting the drive first. If successful, access and copy files directly.
Prerequisites: RecuperaBit from GitHub, Python, sufficient storage, sandboxed environment.
Applicability: Windows, Linux
Details: RecuperaBit rebuilds NTFS partitions, re-creating the folder structure on the examination device. It is a Python script that works on any OS supporting Python3. Results are generally seen within 20 minutes.
Prerequisites: bulk_extractor for Windows or Linux, Linux device/WSL, sandboxed environment.
Applicability: Windows, Linux
Details: bulk_extractor, created by Simson Garfinkel, recovers system and media files by scanning the disk. It can be configured for specific file types, which can speed up the analysis.
Prerequisites: EVTXtract from GitHub, Linux device/WSL.
Applicability: Windows
Details: EVTXtract searches for .evtx files in the encrypted VM and reconstructs them into their original XML format. The tool is specialized for recovering event log files.
Prerequisites: Copies of Scalpel or Foremost, Linux device/WSL, sandboxed environment.
Applicability: Windows, Linux
Details: Scalpel and Foremost are file recovery tools that recover media and document files. They are useful for targeted recovery of specific file types.
Prerequisites: Linux device/WSL, hex editor (HxD or xxd), necessary Windows tools, sufficient storage.
Applicability: Windows
Details: Manual carving involves analyzing the encrypted VM for NTFS partitions and using the `dd` utility to recreate them. This method requires careful calculation of sector values (bs, skip, count).
While these methods offer various ways to recover data from encrypted virtual disks, success is not guaranteed. The best approach is often to restore from clean backups. However, these techniques provide potential solutions when no other options are available.
Deciding when to cease recovery attempts should be a collaborative decision with business stakeholders, based on the overall benefit and feasibility of the recovery process.