Monday, June 29, 2009

EnScript to Export files by extension

A fellow examiner emailed me asking if I could write an EnScript that could be used to quickly export all the existing files in the evidence based just on their file extensions. This would typically be used for eDiscovery type cases.

Below is an EnScript that when run, will present a window asking for two pieces of information. The first is the export folder where you want the files exported to. The second is all the extensions you want to use as the criteria to export the files. You can copy and paste whatever extensions you wish, comma separated:



The EnScript will export all the files with matching extensions (case insensitive) to the folder you specify. A subfolder for each extension is made and the corresponding files are placed into their respective folders:



An index.csv file is made that contains a listing of every file that was exported along with its original path in the evidence and the exported filename. A unique number is appended to each exported file to ensure uniqueness and to avoid one file with the same name as another from overwriting it.




Download Here

6 comments:

Matt Albee Monday, 29 June, 2009  

Hey Lance, hope all is well....! Cool idea, thanks for putting it together, and as always, thanks for sharing.

V Tuesday, 30 June, 2009  

Hey Lance,

I find this to be a mighty useful script. In a typical e-discovery case what would be your methodology. You use this instead of a custom filter? The other questions would be:
1. Does it export the files with bad signatures or overwritten? (they still have the right extensions)
2. What is your approach towards carved files? You first run this script and only then (if necessary, requested) set-up the carving for specific filetypes and export them as search hits into a separate folder?

Thank you again for the script - I will check it as soon as I can.

Anonymous Wednesday, 08 July, 2009  

Hi,
i am examining a case, includes 40 harddisks image files. i added all image files to one case. i need a script which do those followings
1-it will create a folder(folder name=image file name, exclude E01 extension) for every image files under Export Folder.
2-it will create subfolders( a some file extension named folder ) every created folders.
for example

folder name:image1
subfolders: doc, xls,avi,mpg

it will do same again every image files (image2,...image40).

3-it will copy doc extension files to doc subfolder, xls files to xls folder etc.

i tried do this but i couldnt solved completely. i edit a Encase built-in script below.


typedef String[] files;
class MainClass
{
void Main(CaseClass c)
{
EntryClass e;
files f{"doc","xls","pdf","txt","rtf"};
String outputPath;
LocalFileClass ofolder();

forall(DeviceClass dev in c.DeviceRoot())
{
Console.Write(dev.Name()+"\n");
outputPath=c.ExportFolder()+"\\"+dev.Name();
//Console.Write(outputPath.GetFilePath()+"\n");

for(int i=0;i(less-than)f.Count();i++)
{
if (LocalMachine.PathExists(outputPath.GetFilePath()+ "\\"+dev.Name()+"\\"+f[i]) == false)
{
LocalMachine.CreateFolder(outputPath.GetFilePath() +"\\"+dev.Name()+"\\"+f[i], ConnectionClass::CREATEFOLDERALL);
}

}
e=dev.GetRootEntry();
//Console.Write(e.Name()+"\n");
}

}


}//MainClass

** i couldnt copy files every subfolders. i am waiting your helps. Thanx.

Anonymous Friday, 10 July, 2009  

i send the last post above. my e-mail:kocamaz.caner@gmail.com

Anonymous Thursday, 18 February, 2010  

Hi Lance, any possibility of getting the source code for the EnScript to Export files by extensions? I'd like to make some specific modifications to my version of your code, but cannot do that without the actual EnScript.

If you do not feel comfortable in provide the source code, I will understand completely.

Thank you for considering my request.
HD

LinuxAdventures Monday, 23 May, 2011  

Hello Lance,
This is a very handy tool. We use it here in the Netherlands(Hague Police Force) to quickly extract files, we then put in a tool called Forensic Websearch. This tool gives a tactical investigator the possibility to search in digital evidence from a location outside our office.
Is it possible that we (like the collegue above) can obtain the source code from you, so we can make some (minor) modifications to suit our purposes?
If you don't want to provide the code, we fully understand that, and we appreciate all your efforts for making the live of a digital investigator a little easier....
With regards,
Frits van Beukering
frits@digitale-expertise.nl

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles