I have a questioned pertaining to the nomenclature of ClamAV scanning hits.
When a suspect artifact is discovered in unallocated space on a mounted image of a physical drive, how does ClamAV identify the path of the hit?
An example of "Details" in the File History follows:
=====================
Event Type
Quarantine Failed
Detection Name
W32.Damaged_File
File Path
G:\\[unallocated space]\03021640\03388100
Date
6/3/2012 11:00:00 AM
=====================
Specifically, what do the numbers mean in "File Path"? Are they the starting and ending physical sectors of the image (e.g. Using the above example, does 03021640 represent the starting location in bytes or sectors or clusters while the 03388100 represents the ending location?)
This would be extremely helpful in carving artifacts from unallocated space for further analysis.
Thanks, in advance, for your assistance.
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
When a suspect artifact is discovered in unallocated space on a mounted image of a physical drive, how does ClamAV identify the path of the hit?
An example of "Details" in the File History follows:
=====================
Event Type
Quarantine Failed
Detection Name
W32.Damaged_File
File Path
G:\\[unallocated space]\03021640\03388100
Date
6/3/2012 11:00:00 AM
=====================
Specifically, what do the numbers mean in "File Path"? Are they the starting and ending physical sectors of the image (e.g. Using the above example, does 03021640 represent the starting location in bytes or sectors or clusters while the 03388100 represents the ending location?)
This would be extremely helpful in carving artifacts from unallocated space for further analysis.
Thanks, in advance, for your assistance.
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32