EnScript to export selected search hits
This week I was working a case where I was reviewing hundreds of IIS web logs. I had done a keyword search for some unique patterns involving SQL injection. Once found, I want to export just those lines (IIS web logs are one entry per line). So I wrote a quick EnScript that basically exports one complete line that the keyword is found in.
The way the EnScript works is it seeks to the position in the file where your search hit is found, then it backs up until it finds a carrigae return/line feed, then exports from the next character after the CR/LF to the next CR/LF, thus exporting one complete line. This is the format of IIS web logs, but it could work with any text file that uses CR/LF at the end of a line.
To use, conduct your keyword search against any logfiles. Then SELECT (blue check) the search hits you want exported. You can select the whole search tree or just individual search hits, it's up to you. The following example is a screenshot of an old IIS web log:
Imagine you wanted to search through thousands of IIS web logs for the key word of "%5c" and you ended up with a couple hundred hits that you want to export out for reporting reasons or to put into an excel spreadsheet for analysis purposes. The next screeshot shows the search hits after the keyword search:
Select the keyword hits you want to export:
Run the EnScript and look in the default export folder for that case for a file named "searchhits.txt". You can import this into excel or use any text editor to see the exported data:
The result is a text file with only the lines that contain your selected search hits.
Download here
ShareThis
Posts
4 comments:
Does this just export out the preview field?
Anonymous-
No, it does not just export the preview field. That's the whole point of the script. If you just want the preview field you can right click that field in EnCase and chose export.
The EnScript exports the data between carriage-return/line feeds. So in normal windows text files, every line ends with a CR/LF. The EnScript was designed to export one complete line, reglardless of length. The preview field in EnCase is limited to only showing 256 total characters (I believe that's the size). I think its 128 in front and 128 behind, and does not care about what charatcers it encounters, so if your search hit was on aline that only contained 64 characters, you would end up exporting data from the line before and after the line with your search hit.
This script was specifically writted for IIS web logs, but can be used against any text file that uses the standard Windows CR/LF end-of-line delimiter.
So, it looks like there are two problems. The first is that FindBeginning() can result in an infinite loop... this can happen if the first search hit occurs in the file before any instance of 0x0a. I would rewrite stupid-simple-style like this:
for (long pos = file.GetPos() - 1; pos >= 0; --pos) {
file.Seek(pos);
if (file.Get() == 0x0a)
break;
}
This way you're keeping track of the pos, and not relying on the file to do so. This is important because the file's pos can't go negative.
The second issue... what happens if you have multiple search hits on the same line? You will end up writing out the same line multiple times, which may or may not be what you want.
Hi
Is there a way that this script can be changed to address a case where I have a large number of hits in uac and the encase export doesnt export a large enough chunk of data?
David
Post a Comment