I am currently working on developing some EnScripts to parse .pm dump files that are obtained from using a flasher box (SHU, JAF, etc.). I have several .pm files, but not very many from all the different series that contain useful data. I am currently working on Nokia.
If anyone has any .pm files they are willing to share, specifically with call log info (received, missed, outgoing) and/or contacts and/or SMS messages, I would greatly appreciate it and will certainly share the EnScripts I develop as a result.
I am currently looking for Nokia series 30, 40 and 60 .pm dump files.
If you are able to share (all submissiona will only used internally for the development of EnScripts), please send to lance(at)forensickb(dot)com.
Thursday, August 27, 2009
Saturday, August 22, 2009
A fellow examiner asked for an EnScript that provides the base32 SHA1 hash value for selected files. This EnScript generates the common base16 SHA1 hash value for selected files. In addition, it converts the base16 SHA1 hash value to a base32 SHA1 value for use in limewire investigations.
To use, just select the files you want the SHA1 values for and then run the EnScript. The output is in the console tab.
I recently posted an EnScript to provide the hash value of selected text within EnCase.
This is an update to that EnScript and it provides the MD5 hash, SHA1_base16 (hex) hash and SHA1_base32 hash values for those that do limewire type investigations.
Sunday, August 16, 2009
I was doing some testing and needed to hash just a portion of some files, not their entire contents. So I decided to write a quick EnScript to hash just the selected characters from within a file.
To use this EnScript, simply select whatever characters you want to include in your hash results and run the EnScript.
The EnScript will automatically determine which file you have text selected in and the number of bytes. The EnScript will calculate a MD5 and a SHA1 hash of the selected text:
Wednesday, August 12, 2009
I recently released an EnScript that exports files based on extension, you can see the original post and EnScript here.
Based on a request from Timothy LaTulippe & Dave Kleiman. I have made two modifications. There is now a version that maintains the original timestamps of the exported files. The second version maintains the timestamps and the original export path.
You can download them here:
Export file based on extension & Maintain TimeStamps
Export file based on extension & Maintain TimeStamps & Original Path
Friday, August 7, 2009
A few months ago I posted an EnScript and some information about a project by Sgt. Glenn Lang of the Maine Sate Police. You kind find the original post here and EnScript.
Sgt. Lang asked me to post the following message:
Flint Waters and the folks at the Wyoming ICAC have tied our Harvester into their Tool Kit.
Its only been active for a short time, but it has already generated over 40,000 key words to be used in searching for contraband on suspect media.
While I am culling the key words into usable lists I have created a new one from the big list with 265 grep key words that are from some of the most frequently seen CP movies.
If you are interested in this list send me an e-mail and indicate where you are from.
All other items related to this project can be downloaded here:
Password: HasHerGL (it is case sensitive)
Sgt. Glenn Lang
Supervisor / ICAC Commander
Maine State Police Computer Crimes Unit
15 Oak Grove Rd. Vassalboro, Maine 04989
Phone (207) 877-8081
Fax (207) 877-8091
The Top 265 hex keywords are posted here
On a request from a person I consider a friend and whom I have learned a lot from, Pat Lim, I created this EnScript to help parse OSX email messages.
EnCase can parse many different types of emails, but unfortunately emails in the native "mail" application in OSX is not supported. Pat did some research and figured out the structure of the individual email files typically stored in the /[user]/Library/Mail/POP/Inbox folder. Each email is stored with a .emlx extension.
This EnScript will process selected (blue checked) .emlx files. The individual .emlx files will be reformatted and concatenated into one single file and placed in your default export folder for the case. This single file will be in the MBOX format and can then be added into EnCase and parsed. The emails will show up in the records tab if you select the email parse option from the search dialog, or you can simply right-click on the exported MBOX file and choose "view file structure".
On an idea from Timothy LaTulippe, this EnScript was written to basically "de-NIST" your evidence.
This EnScript will compare all the files in the case against whatever hash sets you select (aka all the NIST ones or your own custom Windows hash sets) and then it will export all the files that do not match any of the hash sets, maintaining the original paths.
First, select whatever hash sets you want to use and rebuild your library with the ones you want to include in the comparison:
Then run the EnScript and choose an export path:
If you check the LEF box, a logical evidence file will also be made with all the files that do not match any of your included hash sets.