Monday, June 29, 2009

EnScript to Export files by extension

A fellow examiner emailed me asking if I could write an EnScript that could be used to quickly export all the existing files in the evidence based just on their file extensions. This would typically be used for eDiscovery type cases.

Below is an EnScript that when run, will present a window asking for two pieces of information. The first is the export folder where you want the files exported to. The second is all the extensions you want to use as the criteria to export the files. You can copy and paste whatever extensions you wish, comma separated:



The EnScript will export all the files with matching extensions (case insensitive) to the folder you specify. A subfolder for each extension is made and the corresponding files are placed into their respective folders:



An index.csv file is made that contains a listing of every file that was exported along with its original path in the evidence and the exported filename. A unique number is appended to each exported file to ensure uniqueness and to avoid one file with the same name as another from overwriting it.




Download Here

Sunday, June 14, 2009

SANS Forensics and Incident Response Summit 2009

For those of you that have not heard about the upcoming SANS Forensics and Incident Response Summit in Washington D.C. in July, you should really try and attend. I had originally planned on attending and was kindly asked by Rob Lee to participate in the forensic tool panel discussions, but unfortunately my schedule is now preventing me from attending.

This year's summit looks even better than the last one in Las Vegas, which was great. The speaker lineup looks awesome and I am sure it will prove to be very interesting. If you are anywhere near Washington D.C. July 6th-9th, or can get there, I highly recommend you try and go. If you do, take notes for me.. ;)

You can read more about the agenda here:
https://blogs.sans.org/computer-forensics/2009/04/07/agenda-released-forensics-and-incident-response-summit-2009/

Thursday, June 4, 2009

Article on renaming files to hide them

I ran across an article in a popular Thai magazine named "Computer Today" (http://www.ctmthailand.com) that I found interesting. I don't read Thai, but I was browsing through it looking at the pictures and saw a picture of a file called "my secret.txt" and then it was renamed to "my.sys", so it caught my attention and I was curious what they were teaching.





I had the article translated and it is basically an article on how to hide data by renaming a file that you want to keep from prying eyes to something like "my.sys" and placing it in an obscure folder like the Windows folder.

Nothing earth shatering here about this technique, but I found it very interesting to find an article like this is a mainstream published magazine and it just reinforces why we go through the trouble of file signature analysis, hash analysis, keyword searching & metadata analysis.

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles