EnScript to Compare evidence against hash set(s) and export files not in the hash set(s)
On an idea from Timothy LaTulippe, this EnScript was written to basically "de-NIST" your evidence.
This EnScript will compare all the files in the case against whatever hash sets you select (aka all the NIST ones or your own custom Windows hash sets) and then it will export all the files that do not match any of the hash sets, maintaining the original paths.
First, select whatever hash sets you want to use and rebuild your library with the ones you want to include in the comparison:
Then run the EnScript and choose an export path:
If you check the LEF box, a logical evidence file will also be made with all the files that do not match any of your included hash sets.
Download Here
ShareThis
Posts
6 comments:
I ran the script and I keep getting an Error ''Cannot access close file'' what could cause this? rebuilt
Check your export path for your case, it must be a valid path.
I am still getting the same error. I am usuing version 6.15 64bit. Check path ok error comes after 114k of files extracted tried it on 2 seperate cases hard drive for extraction triple the size of image. same result. any thoughts?
Rebuilt
Please contact me by email so we can try and troubleshoot the problem you are encountering.
lance(at)forensickb.com
Lance, I might of had a gremlin in my computer ran your script three times today and it work fine. thanks for a good script. Will Email you.
rebuilt
better late than never, but it appears you get that error if you have multiple instances on EnCase open, as the first instance of encase locks the encase.HASH file in \Program Files\EnCase.
Post a Comment