Computer Forensics, Malware Analysis & Digital Investigations: EnCase Enterprise EnScript to add application descriptors from selected processes in snapshot data

I was recently helping a company setup and deploy EnCase Enterprise on their network. Part of the initial setup process is to create some baselines of their servers & workstations. I recently posted about creating some quick and dirty hash sets here.

In this case, I needed to create some application descriptors to use as machine profiles in EnCase. I prefer to use regular hash sets when doing analysis because it allows you to identify running processes that are known as well as using them on static files (not running).

App descriptors are exclusively used in EnCase Enterprise/FIM. You *could* technically use them in Forensic/LE edition when you run the scan local machine EnScript, but if you feel you need them on your local machine, then I think you have more to worry about than app descriptors, but knock yourself out. An app descriptor is used to identify running processes, dlls and drivers when collecting snapshot data. If you have hash sets loaded into the library, those will also be compared and displayed if any of the processes match a known/notable hash set. The down side to using hash sets is you cannot use the hash/data in a hash set as part of a machine profile. Machine profiles are used to define what processes are approved or not approved for that particular machine or machine profile (i.e. all the webservers) and that's what an app descriptor is used for.

EnCase Enterprise includes an EnScript to create app descriptors but it involves mounting the remote device and honestly, it can take awhile and I am impatient. So I decided I would write an EnScript that allowed me to check each process from the processes tab under the snapshot data and then quick add it as a app descriptor. Now, you can do this manually by clicking on each one, one at a time. But as I mentioned, I'm impatient as well as having ADD, therefore I wanted a quick way to find all the processes that matched a hash set, select them and then add them as a app descriptor.

The use of this EnScript is pretty straight forward. Select whatever processes under the snapshot->processes tab that you want to add then run the EnScript. The EnScript is "global". This means you can check processes across multiple snapshots (machines) and they will all be added.

It will then prompt you for a folder where you want to place the new app descriptors. You can add a folder by right-clicking on any object in the tree.

If you don't select a folder then the EnScript will terminate without doing anything. If you don't select at least one process from the snapshot->processes tab, then you will receive an error dialog reminding you that you ~~need more coffee~~ need to select at least one process to add as a descriptor.