Windows-Forensics

On November 13, 2025, reporting highlighted that the cross-platform Kraken ransomware profiles victim machines first, benchmarking disk/CPU to choose between full or partial encryption and tune threads to avoid tripping resource alarms BleepingComputer. Cisco Talos’ deep dive confirms host-side performance tests via a temporary file and command-line switches, plus distinct encryptors for Windows and Linux/VMware ESXi that append “.zpsc” and drop “readme_you_ws_hacked.txt” Talos. Talos also notes ties to the older HelloKitty operation and a Kraken-hosted forum announcement (“The Last Haven Board”), a link also observed by independent analysis of Kraken’s leak site Talos Cyjax.

SANS ISC’s Stormcast on November 5, 2025 highlighted three items responders should act on: Apple’s latest cross-portfolio security updates, Google’s November Android security bulletin with a critical System RCE, and active criminal use of legitimate remote management tools (RMM) against trucking and logistics firms. Patch scheduling and RMM governance should be on the same ticket for this week’s change window. (SANS Stormcast 2025-11-05, Android Nov 2025 bulletin).

Apple shipped Safari 26.1 on November 3 with multiple WebKit memory-safety fixes, and broader OS updates (iOS/iPadOS 26.1, watchOS/tvOS/visionOS 26.1) that include additional WebKit issues; SANS notes Apple’s set also includes memory-corruption bugs in ImageIO and FontParser-classes historically associated with code-execution vectors-so prioritize roll-out. (Apple Safari 26.1, visionOS 26.1 WebKit entries, SANS diary summary). Google’s November 2025 Android bulletin calls out a critical RCE in the System component requiring no additional privileges and no user interaction; push devices to security patch level 2025-11-01 or later. (Android Nov 2025 bulletin).

You often can’t trust a standard “MAC times” timeline when an adversary timestomps $STANDARD_INFORMATION, renames files, or deletes entire directories. This guide teaches you how to map the physical fragments of a file across the disk and reconstruct a resilient chronology from NTFS internals and low-level journals-so you can explain what really happened even when typical metadata is gone.

At a high level, you will:

• Identify the file system geometry (cluster size, offsets) and extract unallocated space for carving. Tools like fsstat and blkls from The Sleuth Kit (TSK) provide those fundamentals fsstat manual and blkls manual. (sleuthkit.org)
• Carve for file signatures to find fragments independent of the file system’s directory structures (e.g., PhotoRec’s header/structure carving) PhotoRec documentation. (cgsecurity.org)
• Map carved fragments and known files to physical clusters (LCNs) and virtual cluster numbers (VCNs) using NTFS runlists and APIs that expose VCN↔LCN mappings (FSCTL_GET_RETRIEVAL_POINTERS) Microsoft FSCTL_GET_RETRIEVAL_POINTERS and RETRIEVAL_POINTERS_BUFFER. (learn.microsoft.com)
• Correlate fragments with NTFS metadata records (MFT), the Update Sequence Number (USN) Change Journal, and the NTFS transaction log ($LogFile) to build a timeline not reliant on potentially manipulated MAC times USN Change Journals overview, USN record structure, and $LogFile analysis tooling. (learn.microsoft.com)

Why this works: NTFS separates “what data sits where” (runlists mapping VCNs to LCNs) from file names and times. It also appends low-level summaries of changes into the USN Journal ($Extend$UsnJrnl) and records transaction details in $LogFile. Even when $MFT timestamps are forged, those other structures often retain independent evidence of creation, writes, renames, and deletes USN Change Journal records behavior and NTFS attribute types including $STANDARD_INFORMATION and $FILE_NAME. (learn.microsoft.com)