Monday, September 3, 2007

Find files based solely on the name - EnScript

I recently read a post on a listserv asking if there was any easy way to find files in an EnCase evidence file based on just the filename and then export those files out. This can easily be accomplished by creating a condition and then when applied, only the files matching the filename(s) you specified will be displayed. The files can then be selected (blue checked) and then exported out.

But what if your filename list contains 5000+ filenames? Well, I tried to create a condition with that many filenames and EnCase choked. That's because it actually writes the filenames that you paste into the text box into the code the condition makes, thus causing several thousand lines of code to be created.

So I wrote an EnScript that will do this pretty quickly by reading a simple (non-Unicode) text file containing one filename per line, and then recurses through all the loaded evidence and bookmarks any files that match the filename(s) you provided in the text file. I added an "Export" check box that will automatically export the found files to the default export folder, if selected. It will also hash the found files and then when exported, rename the file to the original filename with the hash appended so you could sort in Windows Explorer and then see if two or more files with the same name are duplicates or different.

When run, the following dialog box will require you to point to a text file containing the filename(s) you wish to locate, and then a name of a bookmark folder you wish to create (the default is the name of the script with the date & time):



Once run, the EnScript will bookmark any files that match the filename(s) you provided (it is not case sensitive). If you select the export option then it will export every occurrence of the file that matches the filename list you provided and then hash the file and append the hash to the filename (the number on the end is just a counter for uniqueness):



The console will report how many filenames were read from the file you provided and the full path of the files that match.

This EnScript actually has some useful application in Intrusion type investigations. I am constantly struggling to keep an updated hash set of hacker tools. Every time a new tool version is released I have to make sure and add that into my hash sets. Many times though, I have found that the intruder does not even rename his/her tools, he/she instead just hides them somewhere where we will never think to look (the system32 folder ;).

So, you could create a simple text file that contains all the names of the bad hacker tools that you would want to know if they exist in your evidence and then run this script at the beginning of the exam to possibly identify any low-hanging fruit, and jump start your investigation. This way if you don't have an complete updated hash set, you could still identify files whose name is clearly identifiable as a hacking tool. I call these contraband type tools. In other words the mere name of the file is bad and it should peak your interest, i.e. pwdump.exe, fport.exe, cain.exe, psexec.exe, etc...

This EnScript is compiled (EnPack) so it will only work in V6.
Download Here

4 comments:

Anonymous Monday, 16 February, 2009  

Lance-

I would like to do something like this with IPs, E-mails, MD5's, domain names and Telephone numbers. What would you suggest? I have a very lengthy list ..

Lance Mueller Monday, 16 February, 2009  

Contact me by email and we can discuss.

Lance

Brian Rosenthal Tuesday, 24 November, 2015  

Hello Lance, Do you have a version of this script that works with unicode characters?

Lance Mueller Tuesday, 24 November, 2015  

Hi Brain, email me directly and lets see what I can work up for you.

lance (@) forensickb (dot) com

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles