Thursday, October 29, 2009

EnScript to create LEF with files based on extension

I wrote this EnScript for myself to essentially create a separate Logical Evidence File with all the user generated files to simplify review. It is a modification of the EnScript here that exports files based on extension.

To use, simply run the EnScript and it will prompt you for a list of extensions, by default most of the common user generated extensions are already included, but you can add or remove extensions from the list.



Once run, it will grab every file that has an extension in the list you provided and then create a LEF with just those files, maintaining their original paths and metadata. The files are placed in the LEF in a folder corresponding to their extension, making review easier. If you check the first box, the LEF will automatically be loade dinto EnCase after its created. The second one causes all compund files to be automatically mounted. Office files, Zips, Thumbs.db, etc. will all be mounted to reveal their contents and additional metadata.


As a bonus I also created a folder in the LEF called high ASCII filenames which will contain any files/folders that are named not using the low ASCII character set. This means it will find and categorize all the foreign language files that do not use the standard Roman alphabet.

Download Here

9 comments:

Anonymous Thursday, 12 November, 2009  

I downloaded it but not sure if its right. The window doesn't have the 2 checkboxes below the extensions field.

Lance Mueller Thursday, 12 November, 2009  

Not sure what you mean

Anonymous Wednesday, 18 November, 2009  

I can confirm also that the current script running under 6.13 in WinXP does not contain the check boxes mentioned.

Lance Mueller Thursday, 19 November, 2009  

I have just uploaded the latest version, downloaded it and tested it. The current download should be exactly as described.

Anonymous Thursday, 03 December, 2009  

does this script also uses the GREP-option or just the extensions from the file names?

Lance Mueller Thursday, 03 December, 2009  

Only based on the extension text, no GREP.

Anonymous Thursday, 03 December, 2009  

ThNX for the reply, do you know if there's a similar kind of script which does use GREP?

Lance Mueller Thursday, 03 December, 2009  

None that I am aware of, but you could certainly write a condition to display the files based on your GREP and then blue check them and create your own LEF.

Anonymous Tuesday, 12 January, 2010  

I downloaded the most recent version of the script for use but am getting the following error: "SOURCELOGICAL" is an unknown identifier"

Any thoughts? Thanks for all your efforts in making this available to the community.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles