Tuesday, March 19, 2013

EnCase EnScript to calculate entropy of selected file(s)

I saw a recent post on one of the forensic mailing lists about calculating the entropy of unallocated space to determine the "randomness" of the data to help determine if a wiping utility had been used.

I had written this quick little EnScript awhile back to calculate the entropy of any selected file, but since EnCase treats Unallocated Clusters the same as a file (an object within EnCase), its works just fine on calculating the entropy of Unallocated space.

Simple select (blue check) the files you want to calculate and run the EnScript. Each file and the entropy value will be written to the console tab.



Download here (EnCase v6)

4 comments:

Anonymous Wednesday, 20 March, 2013  

Hi Lance,

Thank you for this Enscript, i was looking for a while about an Enscript like that !

As i'm not an Entropy Expert, could you give me/us some information about witch Entropy indicate a wipe or not (maybe it's not as simple).

In you example, we can see "Entropy = 7.35...". What does it really mean ? :)

Lance Mueller Wednesday, 20 March, 2013  

See this post:

http://www.forensickb.com/2013/03/file-entropy-explained.html

emy Wednesday, 24 July, 2013  

Nice job Lance,
The EnScript source code is also public available?

Lance Mueller Wednesday, 24 July, 2013  

@emy,

No, but there is a good example in the EnCase EnScript help file.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles