Chapter 12 — Exercises

A mix of concept checks, hands-on labs (image and verify a hash, scope a blast radius, recover from this image, build the intrusion timeline, write the client memo), and judgment calls — because ransomware response is far more decision-discipline than keystroke. (answer in Appendix) = worked solution in Answers. ⭐ = stretch. Where a lab references a practice image, see Appendix J — Practice Images and Lab Setup. Run every command in this chapter against a copy or a forensic image, never a live original or a system you are not authorized to touch — the preserve-before-you-recover rule that governs the chapter governs your practice bench too.


Group A — The cryptography you cannot beat

12.1 Draw the hybrid AES/RSA encryption scheme from the attacker's RSA master key pair down to a single encrypted file on the victim's disk. Label, for each file: K_file, C, K_enc, PUB_master, and PRIV_master. State (a) which key is shipped inside the malware, (b) which key never leaves the attacker, (c) which key exists on the victim machine for only milliseconds and then is destroyed, and (d) why the malware can encrypt an air-gapped machine with no network connection. Finish with the one sentence that explains why "recovery never comes from beating the math." (answer in Appendix)

12.2 A data-recovery vendor's website promises to "crack military-grade ransomware encryption with our proprietary GPU cluster." A panicked client forwards you the ad and asks if they should pay the vendor's $9,000 fee. Explain, in language the client will understand, why correctly-implemented AES-256 and RSA-2048 are not "hard" but computationally infeasible to brute-force, and why the offer is a fantasy. Then name the three legitimate routes by which free or paid recovery actually does happen — none of which is breaking the cipher.

12.3 ⭐ Most ransomware leaves the machine bootable; a few (Petya) attack the file-system structure instead. (a) Explain the coldly commercial reason a family chooses per-file encryption of user data over bricking the whole disk. (b) Describe precisely what Petya encrypted and replaced, and why hitting one small structure renders the volume unmountable as effectively as encrypting every file. (c) A junior tech sees that a hit machine still boots into Windows and tells the client "good news, it's mostly fine." Correct them in two sentences, naming exactly which part of the system is intact and why that is the least useful part.

12.4 The single most important recovery variable in this chapter is behavioral, not cryptographic. Define copy-encrypt-delete and in-place overwrite, and state which one leaves you a recovery opening and why (tie it to theme one). Then explain the brutal asymmetry Chapter 9 injects: why the same copy-encrypt-delete behavior on the same data yields thousands of carved files on a hard drive and almost nothing on a TRIM-enabled SSD. (answer in Appendix)


Group B — The first hour: triage before you touch anything

12.5 The office manager of a hit business calls you in a panic and asks "what do I do right now?" Write the ordered first-hour checklist you give them over the phone — six actions — and for each, name the wrong instinct it is replacing (reboot, scan-and-remove, open a file, pay before the timer runs out, delete the encrypted files, wait quietly). Be specific about the one action that is the most counterintuitive and most often gotten wrong. (answer in Appendix)

12.6 "Isolate, but do not power off (yet)" is the chapter's sharpest first-hour rule. (a) Explain what isolate means concretely (name three ways to do it) and what threat it stops. (b) Name the two distinct categories of evidence that a hasty power-off destroys, and explain why one of them — the keys — can occasionally make the difference between free decryption and no decryption at all. (c) Reconcile the apparent contradiction: if isolation is so urgent, why is powering off — which also isolates — the wrong move?

12.7(Judgment.) A 40-person architecture firm is hit. The owner wants to call, in some order: their cyber-insurance carrier, an incident-response firm, their own IT contractor, and the FBI. (a) Put these calls in the order you would advise and justify the ordering. (b) Explain the specific way that calling the insurer late — or letting the IT contractor start wiping and rebuilding before the insurer is looped in — can void coverage. (c) For which kinds of organizations is a law-enforcement report effectively mandatory rather than optional, and why does reporting also help later if the firm ever contemplates paying (tie to OFAC mitigating factors)?

12.8 (Hands-on — scope the blast radius.) You have mounted a copy of a hit file share at /mnt/copy. Run an entropy/signature triage scan (the ransomware_triage.py pattern from the chapter, or the maintained version in Appendix B). The scan reports 18,442/18,907 files flagged as encrypted (97.5%), with the ransom note sitting at entropy 1.20 and a firm-logo.png at 4.31 with a valid header. (a) Interpret each of those three numbers for the client in one sentence. (b) Explain why the magic-number check exists and what it specifically prevents the scan from doing to a folder full of ZIP archives and JPEGs. (c) Name two ways this entropy screen can mislead you, and state the rule that prevents you from ever reporting "all files lost" from an entropy scan alone.


Group C — Preserve before you destroy

12.9 (Calculate and verify a hash.) On a still-running, network-isolated infected server, write the exact command sequence to (a) capture volatile memory first, then (b) acquire a forensic disk image of /dev/sdb to /evidence/acct-server.dd while computing the SHA-256 inline during acquisition, and (c) independently verify that the image matches what the imaging tool recorded. Use dcfldd with hash=sha256, a 4 MB block size, and conv=noerror,sync. State, in one sentence, what it proves when sha256sum /evidence/acct-server.dd equals the value in the hash log — and what it would mean if they did not match. (answer in Appendix)

12.10 State the order of volatility as it applies to a live, infected, isolated machine, and write the three-step preservation sequence (memory, document/collect, then disk). Explain the special ransomware payoff of capturing RAM first: name three things a memory image of a still-running infected host can contain, including the one — recoverable from certain flawed families — that can hand you a free decryption. Why does this single fact justify the entire "isolate but do not power off" rule?

12.11(Build the timeline from artifacts.) Theme three says every action leaves a trace. For each of the following Windows artifacts, state what it tells you in a ransomware case and which moment of the intrusion it pins down: (a) Event ID 4688 showing vssadmin.exe delete shadows /all /quiet; (b) a burst of Event ID 4625 failures followed by a single Event ID 4624 with Logon Type: 10; (c) Event ID 1102; (d) a VSSADMIN.EXE-XXXXXXXX.pf Prefetch entry. Then explain why the timestamp of the vssadmin delete shadows command is, to a close approximation, the detonation time of the attack. Cross-reference the chapter that owns timeline construction and the one that owns these Windows artifacts.

12.12 (Recovery vs. Forensics.) The encrypted disk is the chapter's signature dual-purpose artifact. Describe what the same encrypted drive is to a 💾 Recovery technician versus to a 🔍 Forensic examiner and 🛡️ incident responder. Then explain the non-negotiable reconciliation that lets one acquisition serve both disciplines, and give one concrete example of what a recovery-only "just carve back the photos" approach would destroy that the firm's lawyers, insurer, and regulators will later demand.


Group D — The five recovery options, in order

12.13 List the five recovery options in the exact order a professional works them, from most reliable to last resort, with a one-sentence reliability note on each. Then explain why "skipping straight to should we pay?" is the mark of someone who does not understand the earlier options. (answer in Appendix)

12.14 Option 1 (restore from backup) is "the only reliable solution," yet it fails constantly in practice. List the four non-obvious caveats that separate professionals from amateurs here, and for each explain the failure it prevents: (a) the attacker probably hunted the backups first; (b) verify the backup is clean and predates the intrusion; (c) do not restore onto a still-compromised environment; (d) preserve evidence before you wipe. Which of these explains why "we had a backup" so often still ends in disaster?

12.15 ⭐ Use STOP/Djvu to explain the most instructive distinction in the whole decryptor landscape. (a) What does STOP/Djvu encrypt, with which cipher, and how much of each file? (b) Distinguish an offline ID from an online ID, including the t1 personal-ID tell, and state precisely which one is decryptable and why. (c) Explain how a single environmental accident — whether the malware reached its command-and-control server during encryption — decides a victim's entire fate. Then name the authoritative clearinghouse and the vendor whose tool you would obtain, and state the one rule about where you download a decryptor from.

12.16 Volume Shadow Copies are deleted by nearly every serious strain — and yet Option 3 is still worth a try on the image. Explain why: what does vssadmin delete shadows actually delete versus leave behind, and how does that connect to theme one? Name the tool you would run against the image to enumerate and mount any surviving stores, and name the one attacker command (vssadmin resize shadowstorage ...) that, if it ran, actively forecloses even this low-probability play.


Group E — Recover from this image

12.17 (Recover from this image.) Below are the first sixteen bytes of two files pulled from a hit share. Identify each, and explain how you can tell them apart at a glance.

File 1 @ 00000000:  FF D8 FF E0 00 10 4A 46  49 46 00 01 01 00 00 48
File 2 @ 00000000:  3A 9C 7E 04 D1 6B B2 8F  55 E0 12 A7 F9 4C 0D 6E

(a) Name File 1's type and the signature that proves it (cross-reference Appendix A). (b) Explain why File 2 has no recognizable header and what its byte distribution looks like statistically. (c) File 2's name on disk is photo.jpg.{A7F1C0D9}.eking and its last 256-plus bytes are high-entropy followed by the ASCII eking{...}. State what that trailer is, what the {A7F1C0D9} is, and why this trailer is forensic gold even though it does nothing to help you decrypt the body. (answer in Appendix)

12.18 (Build the timeline.) From the anchor case you have these timestamped facts: a flood of Event ID 4625 failures ending in a Type-10 Event ID 4624 success at 02:14 Tuesday; a 240 GB outbound transfer over the following days; an Event ID 4688 capturing vssadmin delete shadows /all /quiet on the following Sunday; and the ransom notes written immediately after. (a) Lay these out as an ordered intrusion timeline with the canonical attack phases named (initial access → dwell → escalation/lateral movement → exfiltration → backup/shadow-copy destruction → encryption). (b) State which single event marks the transition from "availability incident" to "reportable data breach," and why. (c) The dwell time here was six days. Explain why a wipe-and-rebuild done in the first hour would have erased the answer to "how did they get in, and what did they take?"

12.19(Hands-on lab — your own files.) On a copy of a few files you own, compute a sliding-window Shannon entropy across each file (window e.g. 4 KB). (a) Confirm that plaintext text and structured formats sit well below 8.0 bits/byte while an encrypted blob or a ZIP sits at ~7.99–8.0. (b) Now simulate STOP/Djvu's partial encryption: replace the first 150 KB of a large media file with random bytes and re-run the sliding-window scan. Describe the entropy profile you see (high for the first 150 KB, normal thereafter) and explain why this profile is shouting "partial encryption, tail recoverable" at you. (c) State why you cannot simply open such a file in its normal application even though most of its bytes are pristine, and outline the repair idea (splice a generic header onto the surviving body).

12.20 (Carve, and read the result.) You run foremost -t jpg,pdf,doc,docx,xlsx,pst -i /evidence/acct-server.dd -o /evidence/foremost-out against the hard-drive server image and it reports 6,213 files carved. (a) Explain why carving works here at all — what did the malware's copy-encrypt-delete behavior leave in unallocated space? (b) Why do the carved files come out as 0001.jpg, 0002.pdf, and so on, and what manual work does that force onto a human afterward? (c) Beyond unallocated space, name four other reservoirs on the same image that frequently hold unencrypted copies the malware never touched. (d) You run the identical command against the workstation's NVMe SSD image and get almost nothing. Explain why in one sentence.


Group F — The pay/don't-pay decision and the law

12.21 (The legal hazard.) A client with no usable backup, no decryptor, and insufficient carved recovery asks you, point blank, "can we just pay them?" Explain the OFAC dimension: (a) why paying can itself be a crime in the United States, (b) what "strict-liability standard" means for a payer who did not know the recipient was sanctioned, and (c) the three mitigating factors OFAC identifies — and how two of them connect directly to the preservation and reporting steps earlier in the chapter. State the one-sentence rule about counsel and payment. (answer in Appendix)

12.22 The 2021 Colonial Pipeline incident is the chapter's cautionary tale about paying. Recount what the company paid, to whom, what they received, and why the payment "bought them very little speed." Then state the one piece of good news the case offers about cryptocurrency's traceability (what the DOJ later did), and explain how that connects to the argument for reporting a payment to law enforcement.

12.23(Judgment — the modern incident.) A firm has just completed a flawless restore from a clean offline backup. Total data loss: near zero. The owner says "great, it's over." Explain why it is not over. (a) Define double and triple extortion and name the group that pioneered data theft before encryption. (b) Explain precisely why a perfect restore does not end an incident in which data was exfiltrated, and why paying "for deletion" buys only an unverifiable promise. (c) List the legal clocks the exfiltration finding may have started (name at least three regimes from Appendix E). (d) State the ethical case the chapter makes — on whom the pay/don't-pay decision properly rests, and what your role is.

12.24 (Write the report / client memo.) Write the short, plain-language paragraph you give an organization's leadership summarizing their pay/don't-pay decision inputs after you have worked options 1–4. Cover, without jargon: what was recovered and what is permanently lost; that paying is gated by sanctions law and requires counsel; that an attacker's decryptor carries no guarantee; that data was exfiltrated, so this is also a breach that paying will not undo; and that the decision is theirs, not yours. End with the one internal service-note line that records the same facts for your file.


Group G — Prevention and the progressive project

12.25 Expand the classic 3-2-1 backup rule into the ransomware-hardened 3-2-1-1-0, defining what each digit means and, for the two new digits, the specific ransomware failure it defeats. Then explain why a backup that was online and reachable from a compromised domain-admin account is presumed compromised, and why the "single most common way modern attackers neutralize backups" makes separate credentials with MFA on the backup console the highest-value control of all. (answer in Appendix)

12.26 "What is not connected cannot be encrypted." Distinguish offline/air-gapped backups from immutable/WORM backups, giving a concrete example of each (rotated external drive in a drawer; cloud object storage with Object Lock). For each, explain why even an attacker with full domain-admin rights cannot destroy it. Then explain the meaning of the "0" in 3-2-1-1-0 and why the accounting firm in the anchor case technically "had a backup job" yet still suffered near-total recent-data loss.

12.27 ⭐ Backups get you back; other controls stop the attack and the re-attack. (a) Explain why "do not restore onto a still-compromised environment" is not optional, and what specifically must happen before you restore (vector, credentials, rebuild media). (b) Name the single most common initial-access vector for human-operated ransomware and the two controls that close it. (c) Argue why network segmentation and least privilege turn "one compromised workstation" into a contained event rather than a domain-wide encryption. (d) Why is a written, tested incident-response plan itself a prevention control, not just a response one?

12.28 (Progressive project — the recovery-vs-preservation memo.) Add the one-page Recovery-vs-Preservation decision memo to your Forensic Case File working notes (begun in Chapter 5). Imagine the evidence machine in your case is discovered mid-encryption. Document, in the order you would actually perform them: (1) the containment step that does not destroy volatile evidence; (2) the acquisition order with hashes; (3) which of the five recovery options you would attempt and why, noting explicitly whether the target is HDD or SSD and how that changes carving; and (4) the legal triggers you would flag (exfiltration → breach notification; payment → OFAC review). Cite the appendix and chapter for each control. Write the memo so that it demonstrates the most valuable habit in incident work: a defensible, written rationale produced before the fast decisions, not after.


Self-check. You have mastered this chapter when you can reason from the cryptography to the recovery options without notes — when someone describes a strain and a medium and you can say, immediately, "copy-encrypt-delete on an HDD, so carving is on the table" or "in-place overwrite on an SSD, so the encrypted files are the only files and the math is the wall." Concretely, you should be able to: diagram the hybrid AES/RSA model and point to the one key you can never get; recite the first-hour list and explain why isolate-but-do-not-power-off; image a drive and prove the SHA-256 matches; tell an offline ID from an online ID and what each means for STOP/Djvu; reconstruct an intrusion timeline from event IDs; and lay out the OFAC, double-extortion, and ethics stakes of paying clearly enough for a client to decide with open eyes. Above all, you should be able to say the chapter's hardest sentence as plainly as its easiest: without backups, ransomware recovery is partial at best. If the prevention section felt like an afterthought on first read, read it again — it is the whole point. Next, Chapter 13 — The Data Recovery Business turns from the bench to the business of charging money to handle other people's worst days.