Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Kaspersky Quarantine File
The following information is based on the current understanding of the Kaspersky Quarantine File format.
A Kaspersky Quarantine File consists of:
- file header
- obfuscated quarantined file
- obfuscated metadata
The file header is 64 bytes of size and consists of:
|8||4||Unknown, header size or offset to quarantined file data?|
|12||4||Unknown, empty values?|
|16||4||Unknown, offset to metadata?|
|32||4||Unknown, size of metadata?|
|36||4||Unknown, empty values?|
|40||4||Unknown, header size?|
|44||4||Unknown, empty values?|
|48||4||Unknown, quarantined file size?|
|52||4||Unknown, empty values?|
|60||4||Unknown, empty values?|
The quarantined file is stored obfuscated using an 8 byte XOR key: "e2 45 48 ec 69 0e 5c ac".
How the metadata is stored is not fully known at the moment but part of the metadata is stored obfuscated using an 8 byte XOR key: "48 ec 69 0e 5c ac e2 45".
Date and time values
The date and time values in the metadata are stored in intervals of 10 ns since January 1, 1 00:00:00 local time.
E.g. the timestamp: 0x582db22720fb9bc9
import datetime print datetime.datetime(1, 1, 1) + datetime.timedelta(microseconds=0x582db22720fb9bc9 / 100) 2014-06-25 15:01:44.164668