Tuesday, July 31, 2012

EnCase EnScript to list and resolve all the file permissions on a drive

I recently had a need to create a list of users who had data on a disk. One of the solutions I came up with was to go through every file on the disk and look at the owner permission. Once I had the owner's SID, I wanted to get the corresponding username so I used the PsGetSid utility from Sysinternals.

To automate this, I created an EnScript wrapper to recurse through all the files on a disk, get a list of unique SIDs, then pass the SID to the PsGetSid utility, then create a Excel spreadsheet with the SID, username, total number of files that user has and the total number of bytes those files occupy.

The first time you run the EnScript it will ask where the PsGetSid executable is and then remember that for the future. The command line options are in case you are running this EnScript on a non-domain machine, but want to resolve domain SIDs. You can then specify a domain machine to query against by specifying a \\computername -u username -p password option as articulated in the psgetsid syntax help:

Usage: psgetsid [\\computer[,computer2[,...] | @file] [-u Username [-p Password]]] [account | SID]
     -u         Specifies optional user name for login to
                remote computer.
     -p         Specifies optional password for user name. If you omit this
                you will be prompted to enter a hidden password.
     account    PsGetSid will report the SID for the specified user account
                rather than the computer.
     SID        PsGetSid will report the account for the specified SID.
     computer   Direct PsGetSid to perform the command on the remote
                computer or computers specified. If you omit the computer
                name PsGetSid runs the command on the local system,
                and if you specify a wildcard (\\*), PsGetSid runs the
                command on all computers in the current domain.
     @file      PsGetSid will execute the command on each of the computers listed
                in the file.

To run:
Select (blue check) the files you want to process, then run. Once completed, the output will be in the console tab and it can then be selected and pasted into Excel (it's tab delimited). It will look similar to this:


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles