The situation and the setup
In a recent ransomware engagement we lacked the proper insight on how much data had been exfiltrated. We had artefacts telling us there was 5 files involved (archive.rar, archive.part1.rar -> archive.part4.rar), unfortunately the names were all we had to go on.
So we could assume data had been exfiltrated. We still did not know how much data had been exfiltrated.
I decided to test the actual split functionality to find some useful artefacts with regards to compressed data.
The test I did consisted of compressing a rather large file into chunks of 10MB:
Artefacts WinRAR Dialog History
The registry contains a dialog that proved useful in the circumstance. Two keys contains history pertaining to volumes being archived.
The keys within HKCU\Software\WinRAR\DialogEditHistory\ArcName HKCU\Software\WinRAR\DialogEditHistory\VolSize
From these two keys we can see both the name of the archive and actual maximum file size of the individual splits.
Naming artefacts when using WinRAR
The operation resulted in three different files test_split.part1.rar through test_split.part3.rar.
We had however seen the original file name in our telemetry, which upon closer inspection of the USN Journal showed that the very first file created is in fact test_split.rar.
This file is however renamed as outlined in the output below.
How much data was exfiltrated then?
Based on how the files are created and the registry entries present, we can say that 3 parts of an arhive was exfiltrated.
2 of which are at the full 10MB and the last one we would not be able to say for certain, so anything between 0-10MB.
So in the test bed we could say the amount of compressed data exfiltrated was been 20-30MB.