Extracting data from encrypted virtual disks: six methods

From news.sophos.com

This article explains various techniques and readily available tools for extracting data from an encrypted virtual disk. For incident-response situations in which the entire virtual disk has been encrypted, these tools and techniques may – may – enable the investigating team to retrieve data from the encrypted system.

Efforts to extract data from encrypted virtual disks can potentially lead to multiple positive outcomes: recovering customer data that is irretrievable via standard methods, helping rebuild virtualized customer infrastructure that has been compromised, and / or enriching an incident investigation timeline. So far, we’ve used these techniques successfully in DFIR investigations involving the LockBit, Faust / Phobos, Rhysida, and Akira ransomware groups.

Read more…