Departamento de Ingeniería del Software e Inteligencia Artificial, Grupo de Análisis, Seguridad y Sistemas, Facultad de Informática, Universidad Complutense de Madrid, Madrid, Spain
Ana Lucila Sandoval Orozco
Departamento de Ingeniería del Software e Inteligencia Artificial, Grupo de Análisis, Seguridad y Sistemas, Facultad de Informática, Universidad Complutense de Madrid, Madrid, Spain
Antonio Lopez Vivar
Departamento de Ingeniería del Software e Inteligencia Artificial, Grupo de Análisis, Seguridad y Sistemas, Facultad de Informática, Universidad Complutense de Madrid, Madrid, Spain
Esteban Alejandro Armas Vega
Departamento de Ingeniería del Software e Inteligencia Artificial, Grupo de Análisis, Seguridad y Sistemas, Facultad de Informática, Universidad Complutense de Madrid, Madrid, Spain
Ransomware attacks reported to authorities face the technical difficulty of local police units in gathering information and executing proper forensic analysis. This paper proposes a forensic analysis tool that acts during the final stage of the ransomware infection cycle to provide a quick and easy option to acquire valuable information for the forensic analyst in order to facilitate the subsequent classification of ransomware. The proposed tool combines pop-up window capture showing the ransomware and through the optical character recognition techniques, obtaining the rescue message along with the payment address and value. In addition, it extracts the files generated by the ransomware and dumps the virtual memory of the system for analysis by the forensic technician. To evaluate the accuracy of the tool, experiments were conducted with different samples of ransomware on a real computer, under a controlled environment.
