I am glad to announce the release of the ERNW whitepaper 71 containing information about quarantine file formats of different AV software vendors. It is available here.
Anti-Virus Software
I took quarantine files from real-life incidents and created some in a lab environment. Afterwards I tried to identify metadata, like timestamps, path names, malware names, and the actual malicious file in the quarantine files. One goal was to use this information to support our incident analyses: Using the results, we can now easily create timelines showing information about quarantined files, extract the detected malware, and sometimes even find information about processes that created the malicious files.
The following anti-virus software quarantine files were analyzed:
- Avira
- Windows Defender
- Malwarebytes
- Symantec Endpoint Protection
- G Data
- Sophos Antivirus
- Kaspersky for Windows Server
Outcome
As an outcome of the analysis, I created Kaitai Struct parser definitions for the different file formats. Additionally, I documented my findings at Github.
The whitepaper gives some more information about the background of the analysis.
Presentation at Cast Forum
Furthermore, I showed the results of my work at the Cast Forum Workshop about forensics and cyber crime. The presentation can be found here.