Why Should I Care?
Ransomware groups will often provide a directory tree as proof of data exfiltration which is hard to work with.
What Should I Consider?
Converting the directory tree to folder paths which are easier to work with.
Introduction
Ransomware groups will often post proof of data exfiltration on their dark web sites prior to releasing the data. The reasoning behind this is to encourage a ransomware negotiation between the ransomware group and the compromised. Within the proof of breach is often a directory tree of the exfiltrated data. The directory tree will often follow a similar format to the below:
Several questions will be raised and need to be answered relatively quickly before the full data set is published. This includes:
What are the files within the directories?
What are the sizes of these files?
Is any sensitive data included?
The directory tree that is provided often isn’t easy to work with in comparison with folder paths. With the help of ChatGPT the following script will parse and output the folder paths from a directory tree. This will be helpful in comparing the published directory tree with a MFTCmd output.