This post will focus on record type 0 VBN's. Record type 0 VBN's also contain quarantine data. I recently discovered these files which lead to figuring out how to tell the different VBN files apart. I am unsure of what causes the different record types. Record type 0 starts out like any other VBN with the VBN Metadata structure. After that, they contain their own unique structures as follows:
- QData Location (XORed with 0x5A) *Optional
- Quarantine Data (XORed with 0x5A)
- QData Info (XORed with 0x5A) *Optional
QData Location
The QData Location structure contains the offset to the quarantine data, size of the structure, the size of the QData Info structure and some unknown data that has always been all 0's, in my case.
If we add together the the first four bytes of the VBN Metadata and the Quarantine Data Offset, this will bring us to the Quarantine Data. (Unless QData Location is not present, we would already be there)
Quarantine Data
Unlike with record type 2 VBN's, the quarantine data is not divided into chunks. The data will be stored as it was on disk. Making it much easier to extract the data.
QData Info
Record Type 0
QData Location (Optional)
| Offset | Length | Field | Description |
|---|---|---|---|
| 0 | 8 | Header | QData location header, 00000006aaaa20ce |
| 8 | 8 | Quarantine Data Offset | Offset to start of quarantine data |
| 16 | 8 | QData Location Size | Size of QData Location |
| 24 | 4 | QData Info Size | Size of QData Info from end of quarantine data to EOF |
| 28 | Data Offset - 28 | Unknown | Will require further investigation as to the purpose of this entry. |
Quarantine Data
| Offset | Length | Field | Description |
|---|---|---|---|
| 0 | Varies | Data | Quarantine data |
QData Info (Optional)
| Offset | Length | Field | Description |
|---|---|---|---|
| 0 | 8 | Header | QData info header |
| 8 | 8 | QData Info Size | Size of QData info |
| 16 | QData Info Size - 16 | QData | Additional information about the quarantine data |
No comments:
Post a Comment