If you could have any EnScript or filter, what would it be?
So I might be opening a can of worms with this post, but what the heck, I am bored. My question is if you could ask for any EnScript to improve your process, speed things up, or just give you a feature you don't natively have in EnCase, what would it be? It could be eDiscovery related or forensic related or just a general utility (tetris anyone?). It also does not need to be a stand-alone EnScript, it could be a filter/condition.
I am interested in hearing what the most popular request will be. Please post your "favorite request" in the comments of this post so others can see it, expand on it, tweak the idea or just echo your vote.
Let the wish-list begin....
ShareThis
Posts
27 comments:
I would like a script that would parse out plist files from the Iphone backup folder. You saw that coming....right?
A "find the smoking gun" enscript would be very handy. On a more serious note how about a skype enscript which would parse chat logs, user profiles and call logs.
I would love to have an Enscript that can parse the meta data out of office files in bulk (i.e. All checked files) and would write them to a tab delimited text file I can import and post process in a database.
Producing forensic evidence from the DCOM database files on a deadbox hard drive.
Some interesting ideas so far. Albee, keep dreaming! ;)
Paul Bobby, what kind of information are you interested in from the DCOM database?
Skype is a good idea.
Larry, I think I can modify the script I have posted here to do what you want.
Keep the ideas coming!
I would like to have an Enscript witch can map/parse the Vista-Filenames/paths to the Thumbscache entries.
I would like to have an Enscript that parses out and bookmarks the ramnents of (live)messenger out selected files (unallocated/pagefile/hyberfil)
Interesting things enscript
I would like a solution for a quick scan of interesting things that possible resides on a Windows disk.
Purpose is to find out which interesting things resides in the data. Its purpose is not to export or carve data. Just knowing that interesting things are present is enough to set up a plan to investigate that data.
The script should look for particular file names/file path/extensions
The script should pick the particular names, etc. from a reference file. Every investigator should be able to edit the reference file, so he/she can put in names/path/etc. he/she wishes to be searched for. I think this will be a great solution for investigators all over the World. In many cases particular software, software names and (path) names are language/country dependent.
A further advantage is, that the investigator self decides what he/she is looking for.
Further Info
Hans,
That's a good idea, but it can already be easily accomplished without an EnScript in about 20 seconds using a condition.
Just take your list of paths/files that you want to know about and create a condition that says "if full path contains" and then paste your list of paths, then run. The only files that will be shown to you are those that match your path criteria.
I would like to see an enscript that diffs active registry files and system restore points registry files and exports only the changes
I would like an enscript that creates a timeline of every entry in the case, I have found the timeline functionality of encase unstable and awkward to work with. By all entries I mean MAC times, Reg c times, Internet history access/update times, and other user defined times (such as network logs, etc.). This way, an investigator can create a timeline of all of the events on the system and use it to rebuild the history. He will be able to integrate the network/system logs to correlate these events.
An easy, but always requested one:
Dialog-"Where", and "Named"
Output-Case Folder Structure!
(with an option for For/eDisc/Inv/etc)
I'd like and EnScript that leveraged Volatility (a.k.a. the greatest thing since sliced bread) against a mem dump file. The GUI popup would allow the user to 'check box' the various Volatility command line options. The output would be a CSV file and would appropriately associate the output of the selected options to the correct process (PID). The idea is that it creates an easy read on a per process level. Volatility provides a lot of disparate info on each process. This EnScript would essentially format the Volatility output in a "makes sense" manner.
How about a "First Run" script which combines come of the basics and outputs into a csv format with date being the first column and time the second column. For example the basics could include:
-USB Information
-Mounted Drives
-Parse Link Files
-MAC of all files between dates
-Event logs(Limited to default locations)
-MRU's from Registry
-WEP
-Printers
-Prefetch
-Internet History (Limited to default locations)
etc
Although some of these scripts currently exist they do not output in a standardized format. The "First Run" script would mean a first responder could get an instant report on scene of the basics immediately after imaging has been completed.
Lance...
How about an EnScript that will rip through the registry based on the white paper and spreadsheet that I sent you...
Dan P.
How about being able to do anything from Enscript that you can do from the GUI. Ever hear of automation? You can only recover folders when you add a device in v6. However, last I checked, you can't programmatically add a multi-file dd style image. In all honesty, though, I have stayed away from v6 because I get "Out of Memory" errors when I approach a large number of "files". The same case doesn't give me problems in v5 but alas, v5 is even worse with automation, can't perform a sig and hash search.
Lance, sorry to butt in without a suggestion for a script but I was reading the suggestions when I saw that "a" was asking for a script which " parses out and bookmarks the ramnents of (live)messenger out selected files (unallocated/pagefile/hyberfil)". If this is referring to MSNP remnants of conversation my colleague has already done this - http://computerforensics.parsonage.co.uk/downloads/MSNTextFragmentsFinder.zip
H
How about a script that would linearly copy out unallocated space, unused disk area, pagefile.sys, hiberfil.sys and start the hashing process one after the other as not to kill the machine?
Thanks a lot for this blog, it is very useful!
I'd love an EnScript that would convert all the selected items to PDF with Bates numbers. Yes, I can do this by hand. Yes, it is better done by other tools, but I'm ending up doing "ediscovery in the field" more often than I'd like.
Hi Mueller,
Can a Enscript be written which can parse the live memory for gtalk chats and store the results in bookmark. I want gtalk only as they are not stored on the local machines.
Kush Wadhwa
(kushwadhwa@gmail.com)
Hi
I am with DHS-Immigration and Customs Enforcement (ICE), Computer Forensic Lab at Puerto Rico.
What I like to see is and Enscrip to check Local User Profile for all other Chat Clients (Yahoo, MSN, etc.)Chat logs
P2P download Logs (Bittorrent, Limewire etc.)
Somehting that makes a quick report of their file trading and activity for tracking Child Porn.
carlos.a.negron@dhs.gov
Carlos,
You might want to take a look at P2P Marshal for P2P stuff, funded by the NIJ.
http://p2pmarshal.atc-nycorp.com/
Though i should warn you its not perfect in my experience (others seem to like it - thought its missed stuff for me on partial installations).
Rich
I'm looking for an enscript that will export all selected files and rename them to either include the file name and/or the md5 with the correct extension appended to the end. Ideas?
I would like an EnScript that will parse DHCP history out of the registry restore points. i.e. I would like it to find, mount, and parse each restore point on the hard drive and list the following:
Assigned DHCP assigned IP Address
IP address Lease Start date/time
IP address Lease End date/time
It would be nice if it presented it in an easy to read timeline format.
AccessData's registry viewer product has a near feature called Auto RSR. This allows one to generate a registry report and include whichever keys desired. Something like this would make a nice Enscript. Especially if it gave the option to parse restore points.
I would like to see an. EnScript that parses gigatribe chat files into a readable format.
Tom Bell
KYOAG
tom.bell@ag.ky.gov
I have seen an Enscript like this once, but I do not have it.
This enscript goes through the computer and finds all prefetch files and pulls the data out of them into a spreadsheet. The data that it pulls shows the name of the file, its location, and the previous times that it was ran. This script would be of great use in my investigations. Any help would be appreciated.
Brannon Raines
brannon.raines@wellsfargo.com
Post a Comment