Friday, August 7, 2009

EnScript to Compare evidence against hash set(s) and export files not in the hash set(s)

On an idea from Timothy LaTulippe, this EnScript was written to basically "de-NIST" your evidence.

This EnScript will compare all the files in the case against whatever hash sets you select (aka all the NIST ones or your own custom Windows hash sets) and then it will export all the files that do not match any of the hash sets, maintaining the original paths.

First, select whatever hash sets you want to use and rebuild your library with the ones you want to include in the comparison:



Then run the EnScript and choose an export path:



If you check the LEF box, a logical evidence file will also be made with all the files that do not match any of your included hash sets.

Download Here

6 comments:

Anonymous Monday, 14 December, 2009  

I ran the script and I keep getting an Error ''Cannot access close file'' what could cause this? rebuilt

Lance Mueller Monday, 14 December, 2009  

Check your export path for your case, it must be a valid path.

Anonymous Tuesday, 15 December, 2009  

I am still getting the same error. I am usuing version 6.15 64bit. Check path ok error comes after 114k of files extracted tried it on 2 seperate cases hard drive for extraction triple the size of image. same result. any thoughts?
Rebuilt

Lance Mueller Tuesday, 15 December, 2009  

Please contact me by email so we can try and troubleshoot the problem you are encountering.

lance(at)forensickb.com

Anonymous Thursday, 17 December, 2009  

Lance, I might of had a gremlin in my computer ran your script three times today and it work fine. thanks for a good script. Will Email you.
rebuilt

Fhiyll Thursday, 25 August, 2011  

better late than never, but it appears you get that error if you have multiple instances on EnCase open, as the first instance of encase locks the encase.HASH file in \Program Files\EnCase.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles