Wednesday, June 6, 2007

Extracting quarantined files from Norton 7.5 in EnCase

When Norton 7.5 (Corporate) locates a file it recognizes as malware, if quarantine is enabled, it will encrypt that file using XOR and rename it with a .VBN extension. It is important when doing an investigation that you examine the quarantine logs and extract any files that are quarantined so you can obbtain a hash and perform an analysis.

When a file is quarantined by Norton (and XOR encrypted) it will not be located by an external AV scan, or by any type of hash analysis because it is now in an XOR encrypted state.

This EnScript recurses through any files with .VBN extension and then decrypts the file and exports it so you can scan it or obtain a hash.

Download Here


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles