Monday, July 23, 2012

Updated F-Response + EnCase EnScript = Powerful tool!

A little over two years ago, I was lucky enough to work with Matthew Shannon when he was beginning to develop the scripting object within the F-Response tool. At that time, I posted a proof-of-concept EnScript that used the scripting API of the F-Response tool.

Fast forward two years and the F-Response tool has only become better. Matthew has also enhanced the scripting capability of the F-Response client. These past two years have allowed people to realize the extreme power of the F-response tool when controlled through a scripting language. The COM object of the F-response tool can be controlled by almost any programming language that can "talk" COM. In my previous POC, I wrote a simple EnScript to show how to control the F-response client by installing it, starting it, connecting to it, then doing something with the target disk inside EnCase, then disconnect, stop and remove the client.

A recently updated version of my initial EnScript is provided below to demonstrate the F-Response scripting capability within EnScript and the amazing power of combining the two together. The example EnScript will connect to the specified remote host and simply search for the file named "pagefile.sys" and display some basic metadata in the console if it is found. While this example is a powerful example, your imagination is really the only limit of how you can leverage the scripting capability of the F-Response client within a scripting language, such as EnScript.

The previous version was compiled into an EnPack. This version is uncompiled and easily readable with a text editor. You can easily modify this base source code to perform additional functions.

Download here (EnCase v6) 


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles