Thursday, October 29, 2009

EnScript to create LEF with files based on extension

I wrote this EnScript for myself to essentially create a separate Logical Evidence File with all the user generated files to simplify review. It is a modification of the EnScript here that exports files based on extension.

To use, simply run the EnScript and it will prompt you for a list of extensions, by default most of the common user generated extensions are already included, but you can add or remove extensions from the list.

Once run, it will grab every file that has an extension in the list you provided and then create a LEF with just those files, maintaining their original paths and metadata. The files are placed in the LEF in a folder corresponding to their extension, making review easier. If you check the first box, the LEF will automatically be loade dinto EnCase after its created. The second one causes all compund files to be automatically mounted. Office files, Zips, Thumbs.db, etc. will all be mounted to reveal their contents and additional metadata.

As a bonus I also created a folder in the LEF called high ASCII filenames which will contain any files/folders that are named not using the low ASCII character set. This means it will find and categorize all the foreign language files that do not use the standard Roman alphabet.

Download Here

EnScript to export x bytes around search hits - UPDATED

A reader asked if I would modify my original EnScript here so that instead of exporting one HTML file with all the exported search hits, that it would export one HTML for each search hit. He was dealing with 50,000+ search hits and the EnScript was creating one huge HTML file and it would not load in a browser.

Therefore, I have modified the original EnScript to create one HTML file for every search hit and also place them into categorized folders based on the keyword.

Download Here

EnScript to obtain connected USB devices from System Restore Points (XP)

A reader requested that I modify my original USB information EnScript to work with the snapshot copies of the SYSTEM registry hives that are saved in the System Volume Information folder by the System Restore service in windows XP.

I have modified the original EnScript to only parse the registry hives found in the system Volume Information folder. This is a seperate EnScript and does not parse the active registry hives, only the ones in the System Volume Information Folder.

Download Here

Wednesday, October 28, 2009

EnScript to decode Yahoo chats in unallocated - UPDATED

A few days ago I posted an EnScript to decode Yahoo chat data in unallocated. You can find the original post here.

I have updated the EnScript to bookmark the data and put the decoded chat data in the comment of the bookmark.

I have also updated the pop-up window that displays when invalid data is encountered.

Download Here

Friday, October 23, 2009

EnScript to decode Yahoo chats in unallocated

Awhile back I created an EnScript to search for keywords that may appear in encrypted yahoo chat logs in unallocated. You can read about that EnScript here.

After creating that EnScript, I created a second one to parse the encrypted chat logs that you may find in unallocated. The following EnScript can be used to decode the chats that you may find in unallocated.

Before running the Enscript, click the cursor on the first character of the UNIX time stamp of the found Yahoo log data in unallocated. The structure of the Yahoo log files are date, type, user, size, message, the a dword null (see below). Once you click the cursor on the first byte of the UNIX timestamp, then run the EnScript and you will need to provide the local Yahoo user name, as this is used as the XOR key.

Here is a screenshot of some yahoo logs in unallocated as well as their structure. Take note where the cursor is placed (solid blue) before running the EnScript.

The cursor is placed on the first byte of the UNIX timestamp and then run the EnScript. It will continue to parse all the messages found until the data structure is no longer valid. After the highlighted data blocks in the picture above, you can see four null bytes, then another UNIX timestamp. The EnScript will continue parsing all the messages as long as it encounters this structure and/or the data values in the TYPE field and USER field contain valid values.

Friday, October 2, 2009

EnScript to search unallocated for built-in File Signatures

This EnScript started as a kind of test EnScript for something else, but I thought others may find it useful.

By default, EnCase is installed with several hundred file signatures preconfigured in the File Signature tab. This EnScript uses those and any additional signatures that you may add and searches unallocated space for any that you select (blue check). So if you select all of them, then it will search unallocated for all of them. If you only select the signatures in the graphics folder, then only those will be searched. Any file signatures that are found are catagorized and bookmarked into a bookmark folder.

When you start the EnScript a simple window asks if you want to search on the cluster boundary or sector boundary. Normally, cluster boundary (default) is the best and fastest choice, since all the signatures should be found only on cluster boundaries. If you want to override this option and search on byte boundaries, then check the box. Checking the box will be much slower (about 8 times slower) since it will check the beginning of every sector instead of just the beginning of every cluster.

Once the EnScript is done, it will create a folder in the bookmark tree and then a sub folder for every file signature that you searched for and was found in unallocated.

Benchmark: A search for all included file signatures took 3.5 hours with 40gb of Unallocated space and having the checkbox selected (searching *every* sector).

A search for all included file signatures took 1.5 hours with 40gb of Unallocated space and having the checkbox unselected (searching *every* cluster).

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles