What Malware Leaves Behind: Analysing Forensic Traces of Ransomware
2025-10-22 , Europe

This session explores the forensic remnants left behind by ransomware on an infected machine. Through a simulated malware infection in a controlled environment, we’ll demonstrate how to uncover the traces attackers leave in system artifacts. Using powerful open-source tools like Autopsy, RegRipper, and Velociraptor, we’ll walk through post-infection analysis, providing attendees with the techniques and insights to detect, correlate, and communicate ransomware behaviors.
This session would be ideal for DFIR professionals, SOC analysts, and anyone looking to better understand the digital aftershocks of malware.


Ransomware attacks have surged in both frequency and sophistication, but even after the malicious code has been executed and removed, remnants of the attack linger.

This session will delve into the forensic analysis of a ransomware infection, using open-source tools to uncover what happens after the initial compromise.

Through a controlled lab scenario, we’ll simulate the infection of a Windows VM with ransomware, and then use a triage approach to collect and analyze digital artifacts that remain on the system. The primary focus will be on using Autopsy, RegRipper, and Velociraptor to uncover forensic traces and attack patterns, such as:
1. File remnants, including encrypted files, ransom notes, and deleted files.
2. Registry artifacts that could reveal malware persistence techniques.
3. Behavioral artifacts, such as network traffic and execution traces left by the malware.

The session will be split into two parts:

Part 1: Live Demo (5 minutes):
This will include a brief walkthrough of the infected machine, showing evidence of the ransomware attack such as the encrypted files and the ransom note.
It will also include a live demonstration using Autopsy or Velociraptor to extract critical forensic data from the infected system.

Part 2: Post-Infection Analysis (25 minutes):

This part will involve a deeper analysis of the system, explaining how these tools work together to detect and reconstruct the attack. It will answer several questions about post infection analysis like:

  • How to correlate the findings across multiple tools (Autopsy’s file-level analysis, RegRipper’s registry examination, Velociraptor’s live endpoint queries).
    -Mapping artifacts to attacker TTPs (Tactics, Techniques, and Procedures) using the MITRE ATT&CK framework.

By the end of this session, attendees will gain a solid understanding of what to look for when investigating ransomware incidents and how to use these open-source tools to piece together the story of the attack. Whether you're working in DFIR, SOC, or threat hunting, this talk will provide the practical skills to identify and analyze ransomware behavior through forensic investigation.

Ankshita is a cybersecurity consultant with a sharp focus on malware analysis, offensive tactics, and real-world threat detection. Her background spans the finance sector, tech industry, and incident response, where she has worked as a SOC analyst, security engineer, and consultant across corporate and critical infrastructure environments. She holds the ISTQB Certified Security Tester credential, is KLCP certified, and is currently researching advanced malware evasion techniques and system exploitation pathways.

She has presented her work at Hack.lu (Luxembourg), Après Cyber Slopes Summit (Utah), DevFest Africa, and The Developers Conference (Mauritius). Her technical approach blends dynamic analysis, code unpacking, and attacker tradecraft — often with a focus on web-based attack surfaces. Ankshita has also been recognized by Huawei Mauritius in 2024 for her innovation in engineering

This speaker also appears in: