DeXRAY – decrypt Quarantine files for forensics

DeXRAY is a private tool that turned public a few years ago. It can help a digital forensic examiner to decrypt some AV Quarantine files. Here is the full list of supported or recognized file formats:

ASquared (EQF)
ESET (NQF)
Fortinet (Magic@0=0B AD) – not handled yet; only recognized
Kaspersky (KLQ) – based on the code by Optiv
MalwareBytes Data files (DATA)
MalwareBytes Quarantine files (QUAR)
McAfee Quarantine files (BUP) – not perfect, but it should still help
SUPERAntiSpyware (SDB)
Symantec Quarantine Data files (QBD)
Symantec Quarantine files (VBN) – not perfect, but it should still help
Symantec Quarantine Index files (QBI)
TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF) – based on the code by Optiv
Any binary file (using X-RAY scanning)

kav

For more info check the Hexacorn blog.

[su_button url=”http://hexacorn.com/download.php?f=DeXRAY.pl” target=”blank” style=”flat” background=”#222348″ size=”7″ radius=”0″]Download DeXRAY[/su_button]

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.