Sunday, May 24, 2009

Harvest Keywords EnScript

This is a follow-up to the post I made on April 28 regarding the "Maine State Police - Keyword Search" EnScript.

This EnScript harvests keywords from selected files in EnCase. If you have a collection of contraband images, movies or whatever, you can load them into EnCase and then use this EnScript to generate a keyword list from a specific offset in each file. The original concept is to extract a unique keyword from somewhere in the middle of each contraband file to be used to positively identify it. Avoid using generic locations such at the header, which would get you hits of that file type, but they may not be contraband. The concept relies on the fact that you have a keyword from the original contraband file(s) that you can use to generate the keyword list (a kind of unique signature), then the original "Main State Police - Keyword Search" EnScript searches each cluster, in just the offset your keyword was harvested from to help reduce the time it takes and positively identify contraband, reducing the need to review every hit.

To use, just blue-check whatever files you wish to harvest keywords from:

Once selected, run the EnScript and pick the offset and size of the keyword. The longer the keyword harvested, the more unique and less chance of false positive hits.

A text file is created with whatever name you specify and the Length (LEN) and Offset (OFF) are appended to the filename, as well as the date and time to avoid accidentally overwriting an existing keyword list:

The list of keywords generated are displayed in the Console Tab of EnCase and can be viewed with notepad:

The generated keyword list can then be used with the EnScript posted on April 28th.

Download here


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles