Listen to this Post
Introduction
As threat actors evolve from encrypting files to deploying double‑extortion tactics, the ability to dissect a compromised virtual machine (VM) and interpret its forensic artifacts is more critical than ever. Harlan Carvey’s core investigative principles—detailed in his timeless works such as Investigating Windows Systems (2018), Windows Forensic Analysis 4/e, and Windows Registry Analysis 2/e—remain the bedrock of modern incident response. By applying these methodologies to a recent Akira ransomware case, we can transform raw artifacts into actionable intelligence, using a combination of open‑source tools for registry, file system, and event log analysis.
Learning Objectives
- Objective 1: Perform offline registry triage with RegRipper to extract system configuration and user‑assigned artifacts.
- Objective 2: Reconstruct file system activity using MFT and USN journal parsers to identify data staging and exfiltration.
- Objective 3: Correlate Windows Event Logs, Edge browsing artifacts, and timeline data to map an adversary’s kill chain.
You Should Know
1. Timeless Forensics: Core Principles from Carvey’s Framework
Harlan Carvey’s investigative process—first documented over a decade ago—emphasizes understanding how an artifact is created, not just what it contains. In the Huntress case, analysts examined a newly instantiated VM that lacked endpoint detection and response (EDR) agents. By applying Carvey’s low‑level parsing techniques (e.g., MFT, USN journal, registry hives), they were able to reconstruct the attacker’s actions despite the absence of traditional security tooling. This “timeless” approach focuses on fundamental data structures rather than transient alerts.
Step‑by‑Step Guide: Build a Basic Timeline with Native Windows Tools
This method collects key artifacts for preliminary analysis without third‑party tools:
1. Collect Registry Hives (requires admin privileges):
reg save HKLM\SYSTEM system.hive reg save HKLM\SOFTWARE software.hive reg save HKLM\SAM sam.hive reg save HKLM\SECURITY security.hive reg save HKCU\ntuser.dat ntuser.dat
2. Export Security & System Event Logs:
wevtutil epl Security c:\forensics\security.evtx wevtutil epl System c:\forensics\system.evtx
3. Gather File System Metadata (MFT, USN journal, prefetch):
fsutil usn readjournal c: > usn_raw.txt copy C:\Windows\Prefetch.pf prefetch_files\
4. Parse with Timeline Tools: Use `log2timeline` (Plaso) or Carvey’s own `wevtx.bat` from his Tools repository to convert disparate artifacts into a unified timeline.
Key Takeaway: Focus on the “why” behind each artifact. For example, an unexpected entry in the USN journal may indicate a file was deleted to cover tracks, but the original file name and path remain recoverable.
2. Registry Analysis with RegRipper 3.0
In the Akira incident, the attackers created a new VM and used it to stage data and launch ransomware. RegRipper allowed investigators to surgically extract evidence of software installation (WinRAR, WinSCP) and disabled security features (Microsoft Defender). The latest RegRipper 3.0 automates plugin execution across entire hives, streamlining the process.
Step‑by‑Step Guide: Automate Registry Analysis on Linux
Clone RegRipper 3.0 git clone https://github.com/keydet89/RegRipper3.0.git cd RegRipper3.0 For Linux, ensure Perl dependencies are installed: sudo apt-get install libparse-win32registry-perl Run rip.pl in "all plugins" mode against a system hive perl rip.pl -r /path/to/SYSTEM -a -o /output/dir/ To generate TLN output for timeline building: perl rip.pl -r /path/to/SOFTWARE -aT -o /output/dir/
Windows GUI (rr.exe): Simply select the hive and output directory; the tool automatically runs all applicable plugins.
Common Plugins to Investigate Ransomware Activity:
– `disable_defender.pl` – checks for Microsoft Defender disablement (often via registry key)
– `installed_apps.pl` – lists installed software (WinRAR, WinSCP, Rclone)
– `run.pl` / `userassist.pl` – program execution artifacts
– `tsclient.pl` – Remote Desktop connection history
- Parsing the Master File Table and USN Journal
The MFT records every file’s metadata, while the USN journal logs every change to the NTFS volume. In the Huntress case, these artifacts revealed the creation of archive files (e.g., using WinRAR) and the subsequent copy operations to exfiltration tools. Carvey’s own parsers (available via his Tools repo) provide low‑level access without commercial software.
Step‑by‑Step Guide: Extract File Activity with MFT and USN Parsers
1. Parse MFT with Carvey’s `mft.pl`:
perl mft.pl -f /path/to/\$MFT -o /output/dir/mft.csv
2. Parse USN Journal with `usn.pl` (from the same repo):
perl usn.pl -f /path/to/UsnJrnl:\$J -o /output/dir/usn.csv
3. Cross‑correlate with WinRAR usage: Search for `.rar` or `.7z` extensions in the USN output to identify staging files:
Get-Content usn.csv | Select-String ".rar"
4. Reconstruct directory tree: Combine MFT and USN data to understand which directories were targeted for exfiltration.
Alternatively, use `usnjrnl-forensic` for Rust‑based performance:
usnjrnl-forensic /path/to/UsnJrnl:\$J --mft /path/to/\$MFT
4. Exfiltrating Browsing History: Parsing Microsoft Edge Artifacts
Threat actors often use legitimate file‑sharing services to exfiltrate data. In the Huntress case, the adversary used Easyupload.io (owned by LimeWire). Investigators used Microsoft Edge browsing history to confirm this activity. The open‑source tool CuttingEdge.py parses Edge’s SQLite history database, even when the browser is closed.
Step‑by‑Step Guide: Parse Edge History with CuttingEdge
Clone the repository git clone https://github.com/h4tt0ri/CuttingEdge.git cd CuttingEdge Install dependencies pip3 install -r requirements.txt Run against an Edge History file (typically located in %USERPROFILE%\appdata\local\microsoft\edge\user_data\default) python3 CuttingEdge.py -f /path/to/History -t history -o edge_history_output To extract download entries specifically: python3 CuttingEdge.py -f /path/to/History -t downloads -o edge_downloads
The output is a CSV file containing URLs, visit times, and download locations. In an investigation, search for file‑sharing domains (e.g., easyupload.io, file.io, transfer.sh) and correlate with USN journal timestamps of created archives.
- Deep Dive into Windows Event Logs with Events‑Ripper
Events‑Ripper, another tool from Carvey’s arsenal, extracts high‑value pivot points from TLN (time‑lined) events files—specifically from Windows Event Logs (.evtx). The tool addresses the fact that event IDs are not unique; it uses plugins to interpret the event source/ID pairs in context.
Step‑by‑Step Guide: Build an Events File and Run Events‑Ripper
1. Collect `.evtx` files (Security, System, Application, Windows Defender, Terminal Services, etc.) to a central folder.
2. Create the TLN events file using the provided `wevtx.bat` (requires Microsoft LogParser):
wevtx.bat C:\cases.evtx C:\cases\events.txt
3. Run Events‑Ripper to extract additional pivot points:
perl events_ripper.pl -f C:\cases\events.txt -p plugins/ -o C:\cases\events_ripped.txt
4. Correlate with USN journal for complete picture: The TLN file is intermediate—add data from MFT and USN parsers using tools from the Tools repository before running Events‑Ripper.
Example Use Case: Identify devices connected to the system (USB drives) via Event ID 2003/2103. Events‑Ripper plugins can automatically flag such connections and link them to file copy events from the USN journal.
- Cloud Hardening and API Security Against Data Exfiltration
The Akira affiliate used WinRAR for staging, then transferred data via WinSCP, and finally used Easyupload.io (LimeWire). To harden cloud and API security, organizations should:
– Restrict outbound traffic to allow‑listed domains only.
– Monitor API calls to file‑sharing services (e.g., via CASB or proxy logs).
– Use MITRE ATT&CK techniques T1048 (Exfiltration Over Alternative Protocol) and T1537 (Transfer Data to Cloud Account) as detection baselines.
Step‑by‑Step Guide: Detect Exfiltration via API Monitoring
- Enable Azure AD sign‑in logs for Microsoft 365 to detect unusual file downloads.
- Use `auditd` on Linux proxies to log all
curl/wgetcommands:sudo auditctl -a always,exit -F arch=b64 -S execve -k outbound_transfer
- Windows command line logging via Sysmon Event ID 1 (process creation):
<Sysmon> <EventFiltering> <ProcessCreate onmatch="include"> <CommandLine condition="contains">winscp</CommandLine> <CommandLine condition="contains">rar</CommandLine> </ProcessCreate> </EventFiltering> </Sysmon>
What Undercode Say
- Key Takeaway 1: Harlan Carvey’s forensic books are not outdated; they teach a philosophy of understanding low‑level artifacts, which remains essential even as threat actors use VMs and cloud services to evade EDR.
- Key Takeaway 2: The Akira/LimeWire case demonstrates that attackers often use a combination of legitimate admin tools (WinRAR, WinSCP) and free file‑sharing sites for data theft. A multi‑layered detection strategy—combining registry, file system, and browsing artifacts—is necessary to catch these activities.
Undercode’s analysis highlights that while commercial tools are valuable, the ability to manually parse an MFT, query a registry hive, or interpret a USN journal entry is the foundation of all successful investigations. The Huntress team succeeded because they treated the compromised VM as a fresh crime scene, applying Carvey’s step‑by‑step “why‑based” methodology. They also effectively pivoted between artifacts: Edge history led them to Easyupload.io, while the USN journal confirmed the archive creation timestamps.
Prediction
- +1 The increasing use of VM‑based staging will drive demand for hypervisor‑level forensics (e.g., VMware ESXi logs, memory introspection). Tools like Volatility and Rekall will see renewed usage, and Carvey’s principles will extend to virtualized file systems.
- ‑N Attackers will respond by using in‑memory only data staging (no disk writes) and encrypted exfiltration channels (e.g., Ngrok, Cloudflare tunnels). This will make traditional MFT/USN journal analysis less effective, forcing the industry toward memory and network flow forensics.
- ‑N The use of legitimate file‑sharing services (Easyupload.io, transfer.sh, etc.) for exfiltration will continue to rise, because security tools rarely block these domains by default. Organizations will need to implement category‑based web filters and data loss prevention (DLP) focused on unusual data volumes to these endpoints.
- +1 RegRipper 3.0’s automation of all plugins against a hive will become the standard for registry analysis, reducing manual effort and improving consistency across analysts. This will help smaller teams adopt structured forensic processes without expensive commercial tools.
- +1 The open‑source community will build more integrated solutions that combine MFT, USN, Registry, and Event Log parsing into a single timeline, directly echoing Carvey’s vision of low‑level toolchains (e.g., the `wevtx.bat` + `events_ripper.pl` workflow). This will lower the barrier to entry for new forensic analysts.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Harlan Carvey – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
