Need Info about structure of Symantec Quarantine Files (*.vbn)
I am working on an incident where th suspect might have used some sort of trojan.
For whatever reason the quarantine folder was touched. If I try to extract the suspicious file out of the quarantine archive with QEXTRACT I only get error messages.
I started to analyze the vbn-files and was able to decrypt the XOR.
However I can not see where the quarantined file itself starts inside the vbn-data.
I would REALLY appreciate if someone could give me a hint, if there is an offset stored to the file-data and where to find it
Thanks in advance!