Extracting Data from Encrypted Virtual Disks: Six Techniques

This guide outlines various methods and tools available for extracting data from encrypted virtual disks. These methods can be particularly useful during incident-response situations where the entire virtual disk has been encrypted. They may enable investigators to recover data from the compromised system.

Efforts to extract data from encrypted virtual disks can result in positive outcomes, such as recovering customer data that is otherwise inaccessible, helping to rebuild compromised virtual infrastructure, and enriching an incident investigation timeline. These techniques have been successfully used in DFIR investigations involving ransomware groups like LockBit, Faust/Phobos, Rhysida, and Akira.

It is important to note that results are not guaranteed. No data-extraction method can ensure full recovery from an encrypted VM. While these techniques often have a high success rate for extracting valuable forensic data (like event logs and registry forensics), the success rate for recovering production data (like databases) is significantly lower.

We strongly advise performing recovery attempts on "working copies" rather than original disks to prevent further damage.

Situations for Retrieval and Factors to Consider

Before attempting data extraction, assess the following factors to determine which method to use:

1. File Size: Larger virtual disks generally have higher recovery success rates, particularly because most VMs have multiple partitions. Typically, Windows VMs have three partitions: recovery, boot, and the user-visible C: partition. The first two usually contain little valuable data, and encryption often targets the initial bytes of the VM, leaving the C: partition—which holds customer and forensic data—untouched. Smaller VMs have lower recovery chances but may still yield event logs or registry hives.
2. Tools: Multiple methods and tools exist for tackling encryption, and some may perform better depending on the encryption type. It is worth trying several tools if initial attempts fail.
3. Time: Consider the time available and the hardware at your disposal. Some methods, like manual carving, can be time-consuming and processor-intensive. These processes can slow down your device, potentially limiting its use for other tasks.
4. Storage: Ensure adequate storage space is available. Manual carving and some file recovery tools require substantial space to recreate files.
5. File Types and Priorities: If specific file types are needed, focus on tools designed to recover those files to save time and resources.
6. Business Need: Evaluate whether recovering data from the encrypted VM is necessary based on the business’s needs and available backups.

Methods of Extraction

Here are six methods for extracting data from encrypted virtual disks. The order is suggested based on efficiency and simplicity:

1. Mount the Drive
   • Prerequisites: Windows OS with a native mounting tool, third-party mounting tools, imaging tools (FTK), and an archiving tool (7-Zip).
   • Applicability: Windows, Linux
   • Procedure: Always try to mount the drive first. Sometimes, files might not be encrypted but simply renamed. Tools like 7-Zip can help in this process. If successful, you can directly access and copy the needed files.
2. RecuperaBit
   • Prerequisites: RecuperaBit from GitHub, Python, sufficient storage, sandboxed environment.
   • Applicability: Windows, Linux
   • Procedure: RecuperaBit automates the rebuilding of NTFS partitions. It re-creates the folder structure if an NTFS partition is found. This tool runs on any OS that supports Python3.
3. bulk_extractor
   • Prerequisites: bulk_extractor for Windows or Linux, Linux device/WSL, sandboxed environment.
   • Applicability: Windows, Linux
   • Procedure: bulk_extractor recovers system files and media files by scanning the disk. It can be configured for specific file types to speed up the analysis.
4. EVTXtract
   • Prerequisites: EVTXtract from GitHub, Linux device/WSL.
   • Applicability: Windows
   • Procedure: EVTXtract searches for .evtx files in the encrypted VM and reconstructs them into their original XML format. This tool is specialized for recovering event log files.
5. Scalpel, Foremost, and Other File-Recovery Tools
   • Prerequisites: Copies of Scalpel or Foremost, Linux device/WSL, sandboxed environment.
   • Applicability: Windows, Linux
   • Procedure: Scalpel and Foremost are older but reliable tools for recovering media and document files. They are useful for targeted recovery of specific file types.
6. Manual Carving of the NTFS Partition
   • Prerequisites: Linux device/WSL, hex editor (HxD or xxd), necessary Windows tools, sufficient storage.
   • Applicability: Windows
   • Procedure: Manual carving involves analyzing the encrypted VM for NTFS partitions and using the `dd` utility to recreate them. This process is detailed and requires careful calculation of sector values.

Method Details

Method 1: Just Mount It

Prerequisites: Windows OS with the native Windows mounting tool, third-party mounting tools, imaging tools like FTK, and archiving tools like 7-Zip.

Applicability: Windows, Linux

Details: Even if a VM appears encrypted, it might not be. Sometimes, attackers simply change file extensions. Always try mounting the drive first. If successful, access and copy files directly.

Method 2: RecuperaBit

Prerequisites: RecuperaBit from GitHub, Python, sufficient storage, sandboxed environment.

Applicability: Windows, Linux

Details: RecuperaBit rebuilds NTFS partitions, re-creating the folder structure on the examination device. It is a Python script that works on any OS supporting Python3. Results are generally seen within 20 minutes.

Method 3: bulk_extractor

Prerequisites: bulk_extractor for Windows or Linux, Linux device/WSL, sandboxed environment.

Applicability: Windows, Linux

Details: bulk_extractor, created by Simson Garfinkel, recovers system and media files by scanning the disk. It can be configured for specific file types, which can speed up the analysis.

Method 4: EVTXtract

Prerequisites: EVTXtract from GitHub, Linux device/WSL.

Applicability: Windows

Details: EVTXtract searches for .evtx files in the encrypted VM and reconstructs them into their original XML format. The tool is specialized for recovering event log files.

Method 5: Scalpel, Foremost, or Other File-Recovery Tools

Prerequisites: Copies of Scalpel or Foremost, Linux device/WSL, sandboxed environment.

Applicability: Windows, Linux

Details: Scalpel and Foremost are file recovery tools that recover media and document files. They are useful for targeted recovery of specific file types.

Method 6: Manual Carving of the NTFS Partition

Prerequisites: Linux device/WSL, hex editor (HxD or xxd), necessary Windows tools, sufficient storage.

Applicability: Windows

Details: Manual carving involves analyzing the encrypted VM for NTFS partitions and using the `dd` utility to recreate them. This method requires careful calculation of sector values (bs, skip, count).

Conclusion

While these methods offer various ways to recover data from encrypted virtual disks, success is not guaranteed. The best approach is often to restore from clean backups. However, these techniques provide potential solutions when no other options are available.

Deciding when to cease recovery attempts should be a collaborative decision with business stakeholders, based on the overall benefit and feasibility of the recovery process.