Inforensics

  What is Ryuk ransomware ? First seen in 2018, Ryuk ransomware is probably one of the most dangerous ransomware out there targeting both public and private sector, especially in healthcare sector.  It uses open source malware to move through system to conduct ransomware attacks. 'Ryuk' is named after the famous Japanese anime villain, who was a threat to businesses and organizations. In 2018, large organizations began noticing that they were being targeted specifically by Wizard Spider(Hacking Group) they disabled the computer systems of United Health  Care, one of the largest healthcare providers in the world. Some of the most high-profile Ryuk hacks in 2018 included the Onslow Water and Sewer Authority (OWASA) in Florida and the Tribune Publishing Company.   In the CrowdStrike 2020 Global Threat Report, Ryuk accounts for three of the top 10 largest ransom demands of the year: USD $5.3 million, $9.9 million, and $12.5 million. Ryuk has successfully attacked i...

 Usefulness of Epoch in Digital Forensics Investigation  (UNIX and MacOS perspective)  In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.   The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date o...

  Manual NTFS File Recovery Approach What is File System? File system provide a mechanism for users to store data in a hierarchy of files and directories. A File system consists of structural and user data that are organized such that the computer knows where to find them [1]. How files gets recovered despite being permanently deleted? Operating systems keeps track of where files are on a hard drive through reference to file that tells the OS as to where the file begins and ends. When we delete the data the reference is only deleted marking its space as available instead of actually erasing the file. Why the computer doesn’t just erase files when you delete   them? Deleting a file’s reference and marking its space as available is an extremely fast operation. In contrast, actually erasing a file by overwriting its data takes significantly longer. For example, if you’re deleting a 10 GB file, that would be near-instantaneous. To actually erase the file’s contents, it...