Sunday, October 13, 2013

EnCase EnScript to check files against www.virustotal.com and Bookmark with score

This EnScript submits the hash value of files tagged with the 'VirusTotal' label to Virus Total to see if it is known as malware.

Virus Total provides a free public API here. To use their API, you just sign up for their "community" and you get an API key that allows (4) four requests per minute. If you submit more than four files per minute, the EnScript will go into a wait loop and then resubmit once the one minute limit has expired

This EnScript provides a quick automated way to tag files and then the EnScript will grab their hash values and submit them automatically to Virus Total using your API key. This EnScript comes with a DLL files and an EXE that act as the bridge for the EnScript to submit the hash value to Virus Total.

Once downloaded, just unzip the archive and run the included EnScript (EnPack). The initial screen will ask for your Virus Total API key and the path to the 'VT_Bookmark.exe' file included in the archive.



The EnScript will generate the needed hash value for any file(s) tagged with the 'VirusTotal' tag. It will then send the hash file to Virus Total to see if that hash value is known. If the file with that hash value was previously analyzed, then the VT score is obtained and noted in the bookmark. A zero score would signify that none of the AV engines identified it as malware/dangerous, while any other positive number would signify the number of AV engines that identified it as bad.





The EnScript does not send or transmit any data from within the file(s) you have tagged, it only sends the hash value. Therefore, if the score comes back as zero, that does not necessarily mean the file is safe. It just means that the file with that hash value has never been previously analyzed or it was analyzed before and it is just not detected as malware/dangerous.

The intended use of this EnScript is to identify hash values that have a POSITIVE score to draw attention to those files that should be immediately looked at further  rather than disregarding those that come back with a zero score.


Download Here (EnCase v7)
Download Here (EnCase v6)

3 comments:

Anonymous Monday, 14 October, 2013  

Very cool. Does it work with Encase version 6.x (or only version 7)?

Lance Mueller Monday, 14 October, 2013  

This version was specifically written for v7. If you have a need for v6, contact me directly.

Anonymous Wednesday, 16 October, 2013  

Very cool! I was going to make something like this in a GUI form outside of EnCase. Sweet deal having it all built right in!

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles