Windows Defender Quarantine & DetectionHistory

windowsExecution EvidenceDisk Image

Location

C:\ProgramData\Microsoft\Windows Defender\Quarantine\ and C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\

Description

Windows Defender quarantine directory containing encrypted copies of detected malware (ResourceData) and detection metadata (DetectionHistory) recording threat name, file path, detection time, user context, and remediation action taken.

Forensic Value

Defender quarantine preserves the original malware sample even after it was removed from its original location, enabling full malware analysis. The ResourceData files can be decrypted to recover the exact binary for reverse engineering and hash-based threat intelligence correlation. DetectionHistory files provide structured detection metadata showing what was detected, where, and when. This is invaluable when the attacker deletes the original malware after detection.

Tools Required

KAPEDefender Quarantine DecryptorPowerShellmplog-parser

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical