Poster: Data Recovery from Ransomware Attacks via File System Forensics and Flash Translation Layer Data Extraction

Authors

Niusen Chen, Michigan Technological UniversityFollow
Josh Dafoe, Michigan Technological UniversityFollow
Bo Chen, Michigan Technological UniversityFollow

Document Type

Conference Proceeding

Publication Date

11-7-2022

Department

Department of Computer Science

Abstract

Ransomware is increasingly prevalent in recent years. To defend against ransomware in computing devices using flash memory as external storage, existing designs extract the entire raw flash memory data to restore the external storage to a good state. However, they cannot allow a fine-grained recovery in terms of user files as raw flash memory data do not have the semantics of "files''. In this work, we design FFRecovery, a new ransomware defense strategy that can support fine-grained data recovery after the attacks. Our key idea is, to recover a file corrupted by the ransomware, we can 1) restore its file system metadata via file system forensics, and 2) extract its file data via raw data extraction from the flash translation layer, and 3) assemble the corresponding file system metadata and the file data. A simple prototype of FFRecovery has been developed and some preliminary results are provided.

Publication Title

Proceedings of the ACM Conference on Computer and Communications Security

ISBN

9781450394505

Recommended Citation

Chen, N., Dafoe, J., & Chen, B. (2022). Poster: Data Recovery from Ransomware Attacks via File System Forensics and Flash Translation Layer Data Extraction. Proceedings of the ACM Conference on Computer and Communications Security, 3335-3337. http://doi.org/10.1145/3548606.3563538
Retrieved from: https://digitalcommons.mtu.edu/michigantech-p/16660