ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
Kaspersky Quarantine File
The following information is based on the current understanding of the Kaspersky Quarantine File format.
A Kaspersky Quarantine File consists of:
- file header
- obfuscated quarantined file
- obfuscated metadata
The file header is 64 bytes of size and consists of:
|8||4||Unknown, header size or offset to quarantined file data?|
|12||4||Unknown, empty values?|
|16||4||Unknown, offset to metadata?|
|32||4||Unknown, size of metadata?|
|36||4||Unknown, empty values?|
|40||4||Unknown, header size?|
|44||4||Unknown, empty values?|
|48||4||Unknown, quarantined file size?|
|52||4||Unknown, empty values?|
|60||4||Unknown, empty values?|
The quarantined file is stored obfuscated using an 8 byte XOR key: "e2 45 48 ec 69 0e 5c ac".
How the metadata is stored is not fully known at the moment but part of the metadata is stored obfuscated using an 8 byte XOR key: "48 ec 69 0e 5c ac e2 45".
Date and time values
The date and time values in the metadata are stored in intervals of 10 ns since January 1, 1 00:00:00 local time.
E.g. the timestamp: 0x582db22720fb9bc9
import datetime print datetime.datetime(1, 1, 1) + datetime.timedelta(microseconds=0x582db22720fb9bc9 / 100) 2014-06-25 15:01:44.164668