1 Reply Latest reply on Aug 14, 2012 4:39 PM by wwarren

    Quarantining a file alters it making any attempt to research how it got there much harder

      We are trying to find how the systems on the network get infected.  In trying to find the source of the infection we want to see the infected file as it was discovered in the VSE software.  Even when restoring the file from quarantine the dates and times have been altered.  We want to see the original timestamp that the file had.  Am I looking in the wrong place for the answer?   Seeing the date that the file was placed on the system allows us to see what was being done at that time and what other files were written around it.  Any ideas out there?

        • 1. Re: Quarantining a file alters it making any attempt to research how it got there much harder
          wwarren

          This is a forensic data point that VSE does not keep track of, except to log for you when the detection occurred, where the file was located, which process touched the infected file (doesn't say if it was Writing it or Reading it but that can often be inferred), and the account the process was running as (be it the logged on user or System account, etc).

           

          I've seen the request made before that we at least capture whether it was a Read or Write operation, since that'll potentially halve the effort for determining original timestamp on the file.

           

          Tracking that type of contextual information in real-time, or logging it all, may be hard to do without killing performance and/or bloating memory usage; and trying to obtain the info "after the fact" when detection has occurred... seems plausible assuming we have a buffer or recent history in memory from which to draw from. I think it's a great PER to submit.

          Some systems are so active though, it'll be a challenging request to satisfy without a noticeable cost.