Wednesday, September 30, 2009

EnScript to Catagorize all files by their extension and then provide a count

Several months ago I did an EnScript to count up all the file extensions and then provide a summary of all the extensions and how many files with each extension. You can find that EnScript here.

This EnScript is similar but it makes a bookmark folder for every file extension and then bookmarks each file into the respective file extension folder for quick review.

The number next to the file extension is the number of files that match that extension. You could use this to quickly look at common file extension types or to identify what file extension types are prevalent on a specific system. Depending on how many files you have in your evidence, this may take several minutes to generate (~5 mins for 100,000 files).

Download Here

Tuesday, September 29, 2009

EnScript to find and bookmark foreign language files & folders

This EnScript was designed to recurse all the evidence and check the name of every file and folder. If the filename or foldername contains an ascii character higher than decimal 127, then it is bookmarked. This catches most languages that do not use the standard roman alphabet.

Run the Enscript and it will display a message if any files/folders are found and they are placed into a bookmark folder.

In the example below, it detected a few files with Thai characters and a few documents with latin characters that are not part of the roman alphabet. The EnScript will also detect other languages such as Arabic, Japanese, Chinese, etc.

Download Here

Monday, September 28, 2009

EnScript to alert you if there is data in the unused disk area of a physical device

This EnScript was designed to quickly scan the sectors classified as "Unused Disk Area" & "Volume Slack" for any data. If any data is found in these areas, then a bookmark of that sector is created and at the end of the EnScript a warning message will be displayed indicating that data was found in this area.

Data in this area is generally not a problem as long as you search and process all objects on the physical device. This is just a quick way to indicate if there is data and a way to quickly review what data exists in that area without having to scroll sector to sector.

Simply run the EnScript and it will check the "Unused Disk Area" of all the physical devices and then display a warning message if data was found. A bookmark is made of every sector that contains data in Unused or Volume Slack. You can then view the bookmark tab and quickly scroll through the bookmarks looking for recognizable data.

Download Here

Sunday, September 27, 2009

EnScript to show what folders have certain file types, calculate total bytes and number of files.

This EnScript was written by a request to display all the folders that contain a certain file type (by extension). The EnScript will also calculate the sum of the file types in each folder and file count in each folder.

Enter the file extensions you want to look for then click "OK". Once it runs, it will spawn Microsoft Excel (required) and populate the worksheet with the calculations:

Download Here

EnScript to summarize visited Internet hosts

This EnScript is meant to provide a quick and easy summary of the hosts that have been parsed using the SEARCH->Internet History function in EnCase.

This EnScript ignores the entire URL and instead just focuses on the host (URL Host column). It will then take all the hosts and count them up based on the hit count and then provide a summary in Excel.

You must select (blue check) whatever history you want to parse, normally the "history" folders, then run the EnScript and it will automatically spawn Microsoft Excel (required) and populate the worksheet.

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles