Wednesday, October 9, 2013

EnCase EnScript for USB info on Win7/8

I have had several people ask me about an updated EnScript to parse connected USB information from Windows7/8 machines.

I actually updated the original EnScript a long time ago, but never posted a blog entry about it. You can find the updated versions here:

Parse connected USB info for Windows 7/8 (EnCase v6)
Parse setupapidev.log for USB info(EnCase v7)

The latter one is also posted in App Central.

6 comments:

Sean Tuesday, 04 February, 2014  

Hi Lance,
I receive an error in the console window of:
EntryRoot is not a member of class "CaseClass"

If I try to edit the script it drops me into the script window and if I then choose Class Browser and find CaseClass I can see that EntryRoot is not a member - but unsure where to go from there. This is in v7.09.

regards
Sean

Lance Mueller Tuesday, 04 February, 2014  

Sean,

This EnScript was written for EnCase v6.

Lance

Sean Tuesday, 04 February, 2014  

I should have clarified, I'm referring to the script in the second link:

Parse setupapidev.log for USB info(EnCase v7)

I also tried the download from AppCentral which says it should work with Encase v7.06 - or have I misunderstood and it is definitely Encase6 only?

rgds
Sean

Lance Mueller Tuesday, 04 February, 2014  

All of those links seem to be v6 versions (not sure why at the moment).

Lance Mueller Tuesday, 04 February, 2014  

The link should be fixed above to point to the v7 version:

http://www.lancemueller.com/blog/Parse%20setupapi.dev.log%20for%20USB%20info_v7.EnPack

Sean Tuesday, 04 February, 2014  

great, thanks - got it and runs fine now

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles