Sean.Erickson at us-cert
Jun 4, 2012, 3:41 PM
Post #1 of 1
I have a questioned pertaining to the nomenclature of ClamAV scanning hits.
ClamAV Event Details Nomenclature
When a suspect artifact is discovered in unallocated space on a mounted image of a physical drive, how does ClamAV identify the path of the hit?
An example of "Details" in the File History follows:
6/3/2012 11:00:00 AM
Specifically, what do the numbers mean in "File Path"? Are they the starting and ending physical sectors of the image (e.g. Using the above example, does 03021640 represent the starting location in bytes or sectors or clusters while the 03388100 represents the ending location?)
This would be extremely helpful in carving artifacts from unallocated space for further analysis.
Thanks, in advance, for your assistance.