IMHO.
docflied wrote:
"The directory DIR was used to store numerous files believed to contain X, Y and Z file types.
This is "vague" and not entirely accurate "believed" by WHOM, and WHY?
Also the sentence may make sense ONLY if the "numerous files" are "container" files, such as .zip or .rar or similar.
docflied wrote:
Files are : meaningfullname1 to meaningfullname10
The above files were known to have been present in the directory. File system timestamps indicate that they were last accessed around HH:NN on D Month Year and deleted around HH:NN on D Month Year.
Investigators have attempted carving these files from free space on the system to determine their contents, however the files were unrecoverable. Some of these files may have been present for legitimate purposes.
This is most probably the result of finding traces of activity and/or fragments of directory listings, nothing "strange" in that.
docflied wrote:
This directory was also used to store malicious files : meaningfullname11 to meaningfullname16K. Due to the files metadata having been overwritten, the initial date of their presence and their deletion date are unknown"
This is more "strange".
Have the actual files been recovered?
If yes, including their filenames (but without any metadata) <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> ?
Or the filenames have been recovered (but not the files)?
If this latter,[i]to play devil's advocate, I can make a file named:
virus_that_will_destroy_the_internet.exe
with inside it just a plain "Hello World!".
If - by any chance - a "real" virus with that exact filename actually exists, that does not automatically mean that the file on my computer is necessarily malicious or the same file.
As always, though I do understand how privacy (or whatever) reasons prevent you to post the EXACT contents of the report, this way there is a concrete risk that what you posted is not accurate in the sense that it is a partial (and "simplified" or "dumbified") version of the report and the observation I made above only apply to the posted version and not on the "real thing".
jaclaz
↧