An Empirical Investigation of Ransomware Encryption Techniques and Forensic Evidence Availability
Tjielke Nabuurs, Cristoffer Leite, Indika Kumara, Roya Nasiri, Matthijs Vos, and Justin Hende
Cryptographic ransomware remains one of the most damaging cyber threats. While research on ransomware has advanced, detailed knowledge of encryption tactics and their implications for digital forensics remains fragmented. As a result, the practical applicability of existing methods is limited.
This work addresses these gaps through an empirical investigation of prevalent ransomware encryption techniques and their impact on forensic evidence availability. The investigation of prevalent ransomware encryption was performed using a systematic literature review, mapping ransomware encryption configurations and anti-forensic strategies. Realistic experimental scenarios were subsequently created by simulating OS- and hypervisor-level encryption on disk images. This was followed by artifact carving and parsing to evaluate evidence availability.
The results of the literature review provide an overview of contemporary ransomware encryption practices. The overview reveals clear distinctions between OS and hypervisor encryption in terms of complexity, configurations, and forensic impact. Empirical testing also shows that OS encryption typically leaves most artifacts intact except where targeted anti-forensics are applied. Hypervisor encryption, contrarily, significantly reduces access to critical sources such as Windows event logs.
The findings of this research enhance the field of digital forensics by providing an overview of ransomware encryption practices and revealing their differing impacts on forensic evidence availability.
