Monday, September 15, 2008

EnScript to bookmark the MFT record of currently highlighted file in EnCase

I wrote this EnScript years ago and recently had a need to use it on some evidence. I realized I had not posted this before on the blog so I figured I would post it in case others had a similar need.

There are times when I want to look at the actual MFT record of a specific file. The most common reason is to look at the second set of timestamps that each MFT record has in the filename attribute. EnCase shows the first set (the ones in the Standard Information Attribute) in the table pane of EnCase, and normally that is sufficient. But there are times when I want to look a the second set of timestamps to see if the file's timestamps have been altered or to help establish whether a file was copied or moved onto the media. This EnScript simply looks up the corresponding MFT record for the currently highlighted file and then bookmarks it (all 1024 bytes of it):



Highlighting simply means to click on it in the table pane of EnCase (upper-right) and turn the entry blue, no need to highlight or sweep any data in the actual file. Once a file is highlighted, run the EnScript and you will get the following message:



Click "Ok" and then check your bookmarks:



You can then quickly inspect the actual raw MFT record to decode it manually or view any residual slack data, etc..

Download Here

Posted by Lance Mueller at Monday, September 15, 2008
ShareThis

Labels: ,

9 comments:

Phil Rodokanakis Thursday, 02 October, 2008  

>>> But there are times when I want to look a the second set of timestamps to see if the file's timestamps have been altered or to help establish whether a file was copied or moved onto the media.

Lance:

Can you please expound on how you would use the second set of timestamps to help establish wheter a file was copied or moved to external storage media?

Best regards, Phil

Anonymous Thursday, 02 October, 2008  

How do I install the EnPack?

Lance Mueller Thursday, 02 October, 2008  

Copy the .EnPack file into the \EnCase6\EnScript folder, start EnCase.

Anonymous Thursday, 02 October, 2008  

Hi lance, I done that but got this message when I try to run it "The version number does not match the header". Does it mean the EnPack does not match me EnCase version?

Lance Mueller Friday, 03 October, 2008  

The EnPack is written to be used in 6.x version of EnCase

Anonymous Sunday, 05 October, 2008  

Oh, that's explain everything. I'm on v5. Thanks!

Anonymous Sunday, 05 October, 2008  

Anything I can do to convert it to be usable in v5?

Anonymous Tuesday, 14 October, 2008  

Hey Lance,

The other day I noticed that Encase has a similar script under the Examples tab. Its labeled "Highlight Specific MFT Record".

Is this pretty much the same thing?

Unknown Wednesday, 29 September, 2010  

Is there any way to use this scripts in version 5?

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles