Investigating Windows Kaspersky Antivirus
23/12/2022 Friday
Kaspersky Antivirus is a Russian based anti-virus protection software that uses a combination of signature-based malware detection, advanced machine learning along with a cloud based security database. It offer its users maximum protection from various types of threats including viruses, worms, ransomwares and many others.
Digital Forensics Value of Kaspersky Antivirus
Kaspersky Antivirus is one of the most popular antivirus software around the world and it has the largest market share in Europe. Given its popularity and wide usage, it is considered an important source of evidentiary information as it enables us to collect valuable information about the course of events and the threats detected on a system.
Location and Structure of Kaspersky Antivirus Artifacts
By default, artifacts left behind by Kaspersky Antivirus are stored in the following location:
C:\ProgramData\Kaspersky Lab\AVP21.3\Data
*AVP21.3 might be named differently according to the version number
Analyzing Kaspersky Antivirus Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Kaspersky Antivirus artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Kaspersky Antivirus artifacts:
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Kaspersky Antivirus artifacts in ArtiFast.
Kaspersky Report Artifact
- Detection Session ID - The ID of the scanning session that the threat was detected in.
- Threat Verdict ID - The ID number of the type of threat detected.
- Threat Verdict - The name of the threat.
- Threat Object ID - The ID number of the path of the infected file.
- Object Name - The path of the infected file.
- Detection ID - ID of the detection in scan.
- Date - The time and date when the threat was detected.
For more information or suggestions please contact: [email protected]
