EnCase EnScript to calculate entropy of selected file(s)
I saw a recent post on one of the forensic mailing lists about calculating the entropy of unallocated space to determine the "randomness" of the data to help determine if a wiping utility had been used.
I had written this quick little EnScript awhile back to calculate the entropy of any selected file, but since EnCase treats Unallocated Clusters the same as a file (an object within EnCase), its works just fine on calculating the entropy of Unallocated space.
Simple select (blue check) the files you want to calculate and run the EnScript. Each file and the entropy value will be written to the console tab.
Download here (EnCase v6)
I had written this quick little EnScript awhile back to calculate the entropy of any selected file, but since EnCase treats Unallocated Clusters the same as a file (an object within EnCase), its works just fine on calculating the entropy of Unallocated space.
Simple select (blue check) the files you want to calculate and run the EnScript. Each file and the entropy value will be written to the console tab.
Download here (EnCase v6)
4 comments:
Hi Lance,
Thank you for this Enscript, i was looking for a while about an Enscript like that !
As i'm not an Entropy Expert, could you give me/us some information about witch Entropy indicate a wipe or not (maybe it's not as simple).
In you example, we can see "Entropy = 7.35...". What does it really mean ? :)
See this post:
http://www.forensickb.com/2013/03/file-entropy-explained.html
Nice job Lance,
The EnScript source code is also public available?
@emy,
No, but there is a good example in the EnCase EnScript help file.
Post a Comment