searching for specific exe file
I'm perplexed about the situation I'm facing, perhaps someone could help clarify this for me. A record is found on a user's computer that shows that McAfee attempted to scan an exe file. The McAfee log shows that the exe file was in the user's Temp Internet folder (IE), however this file cannot be found. I'm assuming that it was deleted manually or by group policy but that's only an assumption as I see no indicator of this action. I'm using FTK. I've done a Live Search using the specific exe file name but no results in allocated nor unallocated space. What else should I be looking for? Thanks.
I would look in the quarantine folder. In Vista/Windows 7 it would be in C\ProgramData\McAfee\VirusScan\Quarantine; in XP the folder is found at C\Documents & Settings\All Users\Application Data\McAfee\Virusscan. The quarantine folder will have the files with a .bup extension. These files are managed with the McAfee Quarantine Manager. The following KB article includes a reference on how to manually extract a file from a .bup.
How to restore a quarantined file not listed in the VSE Quarantine Manager
Corporate KnowledgeBase ID KB72755
Last Modified September 12, 2011
McAfee VirusScan Enterprise 8.x McAfee VirusScan Enterprise Quarantine Manager component
There may be circumstances where a quarantined file is deleted by VirusScan Enterprise (VSE) before you realize the file needs to be preserved. This could be for submission to McAfee Labs for instance. While you may be able to restore the .BUP file to C\Quarantine\, the Quarantine Manager will no longer show the quarantined file. Therefore, it cannot be restored using the Quarantine Manager. This article explains how to manually extract information from .BUP files not listed in Quarantine Manager.
To extract files from Quarantine (.BUP) files
Using Windows Explorer, create a temporary folder. In this example C\SAVE-BUP
Download the 7-Zip file compression utility from http//www.7-zip.org/.
Install the 7-Zip utility and extract the following two files from the .BUP file to C\SAVE-BUP
File_0 To decrypt files contained in .BUP files
Download the XOR utility from http//www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml.
Extract xor.zip to C\SAVE-BUP.
Click Start, Run, type cmd, and press ENTER.
Type cd \SAVE-BUP and press ENTER.
Type xor.exe File_0 file_0.xor 0X6A and press ENTER.
Type xor.exe Details Details.txt 0X6A and press ENTER.
NOTE 0x6A is the encryption key used.
Rename File_0.xor to the original name found in the Details file.
Related Information For more information on the 7-ZIP file compression utility, see KB72766.
You might also want to check out the restore points or shadow copies, depending on the version of Windows you're examining.
Do you have a copy of the file you are looking for. If so, try a binary search for data from the file. A string of 20 bytes should be long enough to find a hit and not too many false positives. Every hit will need to verified just incase you have a false positive.
With this technique you may find a file that was deleted, and the MFT entry has been re-used.
You will not find a file that has been overwritten.
1. The Quarantine folder is empty
2. I do not have a copy of the exe file to do the binary search
3. I cannot find any restore points.
Thanks for all the suggestions. Any other ideas?
Was there a time stamp in the McAfee log?
How old was the record compared to the time the disk was acquired?
Was there anything else in the log? e.g. file size?
With the name, approx date and size, maybe you can find the same file online. Having a copy of the file might then help you find any remnants of the file on the local machine.
Maybe IE deleted the file as part of the normal clean up of cached files.
Nothing else, no file size
If IE deleted it wouldn't there be a record of this action? If yes, where would I find it?
You could look at IE's web site history.
Maybe you can find the web page on which the file was downloaded from?
I determined that the user clicked on a link inside their webmail account (found link in IE history file) and that's what downloaded the file.