Thursday, February 28, 2008

Create 'dd' image file from EnCase evidence and redact certain files

***Updated verion 1.1 - Sanity checking on deleted, overwritten files, files with invalid clusters and folders

This project started out as a request from a blog reader where they were ordered to provide a copy of an evidence file to another party, but redact certain files. He had already figured out a way to do this with a 3rd party tool, but wanted to dump a text file of the offsets and lengths of the files that were selected so they could be read by a 3rd party tool and then some automated wiping could take place.

Back in July of 2007, I released an EnScript to make a 'dd' image file from an EnCase evidence file (original post is here). I started thinking about how easy it would be to incorporate that feature to that EnScript. An hour later, here is a modified version of the original "export to dd image" EnScript, with the ability to redact selected items.

Basically the way it works is that you load up one piece of evidence and then select any item(s) you want redacted. You can select anything, including unallocated space, which will then be written as all zeros in the 'dd' image file. The selected filename and metadata are all maintained, just the data contents are redacted. Check the console for some logging information.



Now this obviously has some interesting uses, with the most obvious being why I originally set out to make this EnScript, but after working on it and playing around with it, I came up with several other very useful uses, especially when making example evidence files for students. The cool part is you can load up an evidence file, select unallocated, and then when its done, load up the 'dd' image file and then quickly reimage and the resulting evidence file is much smaller since the wiped data is stored as sparse data. So when working with sample evidence files where the pagefile, unallocated or other files are not needed, you can quickly wipe them out and reduce the overall size of the evidence file significantly.

Before (now you see it):



After (now you don't):


All other files remain intact and all other individual file hash values verify between the original and the 'dd' image.

Download Here

Posted by Lance Mueller at Thursday, February 28, 2008
ShareThis

Labels: ,

4 comments:

Anonymous Wednesday, 09 April, 2008  

During adding an image to Encase there is an option "Read FileSystem". If you uncheck this Option EnCase shows only one bitstream. Just right click and copy/unerase this "file".
This is your dd-image. No EnScript needed. G.B.

Anonymous Wednesday, 29 October, 2008  

Lance,

Any chance of adding a file chunking option like the copy/ unerase feature in EnCase to the dd image file enscript?

Anonymous Thursday, 20 August, 2009  

Lance, Would this script work on an EnCase image of an Mac image with a HFS filesystem?

Lance Mueller Thursday, 20 August, 2009  

Yes, the EnScript pays no attention to the type(s) of volumes that may be present. It just starts at the first available sector until the last.

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles