Decode/Bookmark Base64 text in EnCase

I had a recent need to examine some php pages that were used to compromise a web server. Several of the php pages were obfuscated using base64 encoding to avoid detection. Therefore, I needed a quick way to decode base64 text and then bookmark the decoded text for later review.

The first step is to sweep the base64 text:



Next, run the EnScript and check the box if you want the decoded text bookmarked:



Once the EnScript is completed, you can check the console tab for the decoded text as well as look at the bookmark if you chose that option.





Remember that the length of the base64 encoded text should always be divisible by four. This is because four bytes of encoded text actually represents three decoded characters. This is why sometimes base64 text contains "=" characters at the end, which are used as null padding to make the length of the string divisible by four. The EnScript checks the length of the selected text and warns if you have selected either too many characters or too few:



Download here