Maine State Police - Keyword Search & Export EnScript

Maine State Police Keyword Search and export EnScript – v1.0
April 28, 2009
EnCase v 6.13

This post is an update to a previous post here. This is an updated EnScript with new features and an official v1.0 project release. The following description is from the instruction document in the zip file linked below.

1. Introduction

This EnScript was born out of a concept from Sgt. Glenn Lang with the Maine State Police. Sgt. Lang needed a way to quickly and effectively identify known multimedia files that are commonly possessed by persons trafficking and possessing child pornography.

2. How it works

Sgt. Lang had an application named "harvester" written for the purposes of extracting a 10-byte string of hex values from inside any file. The thought was that instead of relying on file headers, to instead grab 10 hex values from the middle of a known video file or graphic file as a "mini" known signature for that specific file. The "harvester" program creates a simple text file with one 10-byte keyword per line (CRLF delimited). Investigators can use the "harvester" program to scan all their known bad media files and extract a mini "signature" for each of them, placing them into a small text file.

This EnScript was designed to read the text file created by "harvester" (or by any other means) and then begins searching the disk for those keywords. TheEnScript was designed to work in two ways. The first way is to search unallocated space, the second it to search all areas of the disk(s) (allocated files and unallocated clusters).

3. Configuration

When you start the EnScript, the investigator is presented with the following initial screen :



A. The first option asks for the text file where the keywords are stored. This text file should be a simple ASCII text file, one 10-byte keyword per line, in the format of:



B. This is the offset into the known file where the keyword was harvested from. The EnScript will search and export using this offset.

C. Total size of export - When a keyword is found, the EnScript will back up “x” bytes, as dictated by the offset value described above. The EnScript will then export from that offset (presumably the beginning of the file) for a total of “x” megabytes, as indicated by this value.

D. File Extension - When a keyword is found and the data around the keyword is exported (as described above), the exported data will be placed into the case default export folder and given the extension as indicated by this value. This is so if the investigator is searching for movie files and the data is carved from unallocated space into the default export folder, the investigator can quickly double click and use a viewer, such as VLC, to view the contents.

E. Comprehensive search - This checkbox dictates how the EnScript will search for the keywords. The normal built-in keyword search process in EnCase searches every byte of the disk (or unallocated cluster object). This EnScript, in an effort to speed this process up, by default, will search for the keyword only at the specified offset of each cluster, then move to the next cluster and look at the specific offset in that cluster and then move again to the next cluster. A typical Windows installation uses the NTFS file system and defaults to a cluster size of 4096 bytes (8 sectors per cluster). This means you are only searching 10 bytes out of those 4096 bytes, effectively only .2% of a cluster. The purpose of this is speed. If you think about how a file will always be saved on disk starting at a cluster boundary, then the keyword your looking for will always be found at the offset you specified in option B into a cluster. Searching the other areas of the cluster is unnecessary.

By checking this box (comprehensive search), the EnScript will instead search every sector. The reason for this option is in case the target drive had some files you are searching for and then the volume was formatted at some point in the past. The formatting process may inadvertently either change the number of sectors per cluster (i.e. was FAT, now is NTFS) or the boundaries of the volume have changed. Therefore, by selecting this option, the EnScript will search for the 10-byte keyword at a specific place in the sector, then move to the next sector and search again at the specific offset. This will increase the amount of time it takes to complete the search, but is still faster than a traditional keyword search where every byte of every sector is searched.

F. Bookmark - This will cause the specific keyword hit to be bookmarked when it found. Check in the bookmarks folder for a folder named “Found keywords in Unallocated – DATE & TIME”.

G. Search all files - The default is for this EnScript to only search unallocated space for the supplied keywords. Checking this box forces the EnScript to search unallocated, as well as every file in the case (allocated files).

4. Console - Real-time information is displayed in the console as the EnScript is running. If a keyword is found, the offset as well as full path of the file of where it was found is displayed.



5. Alert Sound - The EnScript will automatically check for the presence of a .wav file named "alarm.wav" in the “C:\Program Files\EnCase6\” root folder. If this file exists, this .wav file will be played every time a keyword is found during the search process. If the .wav file does not exist, the alert sound function will be skipped, but real-time information is still displayed in the console tab of EnCase.

Project information:
Sgt. Glenn Lang, Maine State Police
glang (at) mcctf.org

Download Here

Keyword List

Video demonstration #1
Video Demonstration #2