Friday, January 18, 2008

Basic System Volume Information EnScript

I was recently contacted by Hans Heins in the Netherlands, who had some EnScripts that were written in v4 by a student trainee. The EnScripts parse out basic information from the System Volume Information, Restore Point files. He posted these EnScripts to his website listed here.

I have ported these over to EnCase v6 EnPack format.

The first one parses the rp.log for basic information on when the restore point was made. To use, select (blue check) one or several rp.log files and then run the script. A small text file with the information is created in your default export folder. You can download the v6 version here.

The second one parses the change.log and lists the files that are in the restore point. To use, select (blue check) one or several change.log files and then run the EnScript. A small text file with the information is created in your default export folder. You can download the v6 version here.

Thanks to Hans for sharing the EnScripts.

Posted by Lance Mueller at Friday, January 18, 2008
ShareThis

Labels:

1 comments:

Nitin Kushwaha Wednesday, 16 July, 2008  

Hi Friend,

Can you port the same Enscripts to be able to be used for Encase v5

It is really gr8, i am still learning more about Enscripts.

Thanks for this.

nitin.blackhat@gmail.com

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles