Friday, October 2, 2009

EnScript to search unallocated for built-in File Signatures

This EnScript started as a kind of test EnScript for something else, but I thought others may find it useful.

By default, EnCase is installed with several hundred file signatures preconfigured in the File Signature tab. This EnScript uses those and any additional signatures that you may add and searches unallocated space for any that you select (blue check). So if you select all of them, then it will search unallocated for all of them. If you only select the signatures in the graphics folder, then only those will be searched. Any file signatures that are found are catagorized and bookmarked into a bookmark folder.



When you start the EnScript a simple window asks if you want to search on the cluster boundary or sector boundary. Normally, cluster boundary (default) is the best and fastest choice, since all the signatures should be found only on cluster boundaries. If you want to override this option and search on byte boundaries, then check the box. Checking the box will be much slower (about 8 times slower) since it will check the beginning of every sector instead of just the beginning of every cluster.

Once the EnScript is done, it will create a folder in the bookmark tree and then a sub folder for every file signature that you searched for and was found in unallocated.



Benchmark: A search for all included file signatures took 3.5 hours with 40gb of Unallocated space and having the checkbox selected (searching *every* sector).

A search for all included file signatures took 1.5 hours with 40gb of Unallocated space and having the checkbox unselected (searching *every* cluster).

Download Here

1 comments:

Anonymous Wednesday, 20 July, 2011  

Lance i need this code for Encase Version 5, could ou give me a hand?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles