Monday, August 18, 2014

EnCase v7 EnScript to find files based on MD5 hash values

I had written a version of this years ago for EnCase v6 and I was recently asked to update it for EnCase v7.

One EnScript listed below will generate a text files of SELECTED files. That text file can then be used on subsequent cases to help find/identify files with the same hash value.

To use, you do not need to generate hash values, the EnScript will do it automatically. The second EnScript is also optimized to first match file sizes first before generating/comparing hash values to help reduce the time needed for the comparison, thus saving the need to hash everything in the case and then using a filter to identify files that match a particular hash set.

Any files found that match the size/hash value in the specified text file are bookmarked for later review/export.

Download v7 EnScript to create text file with name, size & hash for later comparison
Download v7 EnScript to do comparison 

Thursday, April 10, 2014

EnCase v7 EnScript to quickly provide MD5/SHA1 hash values and entropy of selected files

I recently had the need to quickly triage and hash several specific files within a case, but I did not want to (or possibly could not) run the "process evidence" option to generate hash values for *all* files.

EnCase v7 has the ability to generate hash values of selected files through the right-click context menu->Entries->Hash/Sig Selected files.

The downside to this option is that it requires you to close the "evidence" tab and then reopen it, causing you to lose your place/highlighted file.

So I wanted a way to quickly generate the MD5 & SHA1 hash so that I could paste to VirusTotal or use it in some other manner without having to process the entire evidence file and/or reload the evidence tab.

This EnScript will compute the MD5/SHA1 hash value and entropy of each selected (blue checked) file. Due to the way EnCase v7 handles "selected" files now, you must be in the "evidence" tab, select the files you want to process wih the EnScript, then run the EnScript. If you select the files and move to another tab, then run the EnScript, it will not work.

When you run the EnScript, the data will be displayed in the console tab and bookmarks are created:


This allows you to quickly generate a hash value and do something with it (copy & paste) without losing your current view state.

Download EnCase v7 here

(v6 has the ability to do this already, no v6 EnScript is needed)

Thursday, March 20, 2014

EnCase EnScript to show file summary of user's profile by extension

This is another "quick hit" EnScript to generate a quick report on the types of files under a user's profile based on file extensions. The EnScript will automatically create an Excel spreadsheet, with a sheet for each user, showing the total number of files for each extension and the total number of bytes for each extension, percentage for each extension and total bytes for each summary. Folders and files with zero logical size are ignored:

Download EnCase v6 EnScript Here

Wednesday, March 19, 2014

EnCase EnScript to parse each NTUSER.DAT for RecentDocs

This EnScript is another "quick hit" to parse out all the recently accessed files recorded in the user's NTUSER.DAT.


When run, it will parse each NTUSER.DAT and display the results in console, as well as automatically open Excel (Excel is required to be installed on the examiner's machine in order to use this EnScript) and create a worksheet for each user processed:

The EnScript will also create a bookmark for each user. It will put the date the registry key was last modified in the comment section of each file extension for consideration:

Download EnCase v6 here

EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user.

The EnScript checks the Software\Microsoft\Terminal Server Client\Default for each NTUSER.DAT and displays/bookmarks any values.

*The link below has been updated to an EnScript that can be run in either v6 & v7.

Download EnCase v6 & v7 here

Monday, March 17, 2014

*Updated* - EnCase EnScript to parse wireless network information for Vista, 7 & 8

I updated the original v6 & v7 EnScripts to now include the date the access point was first connected and the date it was last connected to:

Download EnCase v7 here

Thursday, March 13, 2014

EnCase EnScript to parse wireless network information for Vista, 7 & 8

This EnScript is an update to one I did several years ago for extracting wireless network information on Windows XP systems.

This EnScript supports Windows Vista, Windows 7 & 8. When run, it will search for any SOFTWARE registry hives (Single Files are supported) and extract some useful information and display it in the console as well as make a bookmark.

Example information:

Download EnCase v6 here
Download EnCase v7 here

EnCase EnScript to search for and parse prefetch files in unallocated

Carlos Cajigas and I were recently having dinner and talking over some EnScript ideas. He recommended an EnScript to search for prefetch data in unallocated and then if found, to parse it for some basic data. Prefetch data can be very useful when handling employee misconduct, criminal and malware cases, so I agreed to write one and name it the "losprefetcher" ;).

This EnScript will search Unallocated cluster, pagefile.sys and & $LogFile for the known file signature of a prefetch file (*.pf) and then if found, it will parse out the name of the executable, the last run time and run count. The parsed data is written to the console and to a bookmark:

Download EnCase v6 here
Download EnCase v7 here

Thursday, March 6, 2014

EnCase v7 EnScript to parse USNJRNL

It's hard to believe its been almost six years since I wrote the original EnCase v6  EnScript to parse the $USNJRNL file for Windows XP (when enabled), just as Vista was hitting the scene. Here is the original post and information.

Someone recently contacted me about a version that works in EnCase v7, so I figured I would post the updated version for others. This version works the same as the version written for EnCase v6. It recurses through all the objects in the case and parses the $USNJRNL•$J file. The parsed entries are written to the console as well as to a CSV file created in the case export folder.

The reason codes for what caused the entries to appear in the USNJRNL are referenced here:

Download EnCase v7 EnScript here

Thursday, February 27, 2014

Understanding a Hyper-V server when doing Forensics

Hyper-V is Microsoft's visualization server software. It is very similar to VMware in that it provides a host allowing you to run several 'guest' machines on a single piece of hardware.

When doing incident response/forensics, you may run into one of these servers and need to understand a bit more about how to deal with them.

Hyper-V comes in two flavors (modes):
  • A stand-alone Hyper-V server based on Windows 2012 core OS (current version)
  • A role-based Hyper-V add-in available in Windows server 2008 & 2012
The stand-alone version of Hyper-V server is a complete operating system based on Windows 2012 core (current version) and can can be downloaded for FREE here.

For the Hyper-V Server version (Windows Core), once downloaded, it is installed just like a typical version of Windows, except there is no GUI interface for the user. There will be an initial GUI screen displayed for the login, but once logged in as the administrator, you will typically be presented with two command prompt windows:

From this initial console, you can change some of the options the server uses, such as the hostname, networking options and if remote management is enabled, but there is not much more to see from this console. The Hyper-V server is likely administered via the Hyper-V management console from another Windows based computer. The management console allows you to connect to the Hyper-V server and manage all the virtual guest devices. This management console is part of the administrative tools set that needs to be installed separately on workstations (Windows 7 & 8), but is included on server-class operating systems (2008 & 2012):

However the Hyper-V serer is typically managed, you as a forensic analyst are going to be concerned with two major things:

  • The path to where the virtual disk(s) that are configured for each virtual machine are stored
  • If the virtual machine has any 'snapshots'
If the administrator is cooperative and not part of the investigation, you will want to leverage their knowledge about where the virtual hosts are stored and getting access to the server. The following information could be used to help verify what they are giving you is what you are expecting. If the administrator is not available, then you will have to do the steps below on your own.
The first item is needed so you know what virtual disk files are associated with a specific virtual machine. The easiest way to determine this is to identify the virtual machine of interest in the hyper-V manager and look at its settings by right-clicking and viewing the properties of the hard drive configured for the virtual machine.

The important items to note is the path to where the disk file is stored AND if it notes that there is a snapshot in use. Pressing the "INSPECT" button gives a little more details and view to the path where the disk file for this virtual machine is stored.

A "differencing virtual hard drive" is the terminology used for a disk that uses snapshot technology, allowing the administrator to save the state of the guest host at specific time and then revert back to that snapshot at some point. The reason this is important to know is the same reason when dealing VMware virtual machines. The snapshot data is actually stored in a different file and if you do not get a copy of that file, you will end up with a copy of the base system, but not with the data that represent the current state.

Hyper-V uses *.VHD as the extension for virtual hard drives. Snapshots are stored in a similar file with the extension of *.AVHD. Many Forensic tools can natively read VHD files, which is good. The complication comes in when there are snapshots (differencing files), which most forensic tools DO NOT know how to deal with them.

The Hyper-V manager has a feature named "merge" which allows you to merge snapshots into the base disk file.This feature can be used to apply the various snapshots to the base disk file (VHD) and you will end up with a VHD with all the snapshots applied. If there are multiple snapshots, its important to apply them sequentially one at a time.

In the example below, you can see multiple snapshots exist in the lower "Snapshots" windows. To apply the merge feature, you select the "Edit Disk" option on the right side:

Once you select the "Edit Disk" option a wizard will open up asking you for which VHD or AVHD file to merge. You want to select the OLDEST AVHD file and merge that into the VHD file. Then repeat with the next oldest AVHD file, etc, etc, until you have merged all the AVHD files. This can be done as a non-destructive process, meaning when you merge you can tell the wizard to merge a AVHD file and create a NEW VHD file from that process. My recommendation would be to create a new VHD, leaving the original one intact and allowing you to have various versions with the snapshots applied along the way, which can be loaded into your favorite forensic tools.

Note: You will only get the "MERGE" option if you selected a AVHD file in the step above. If you select the VHD from the file picker dialog, you will not be presented with a MERGE option.

Once you have merged all the snapshots into a VHD, you can then load that VHD into forensic tool  that supports parsing VHD files and it will be displayed with the snapshots applied, in a state as it was when you encountered the machine (assuming the file system used by the virtual host is supported by the forensic tool).

Alternatively, if you are comfortable with PowerShell, you can either locally or remotely use Hyper-V cmdlets to get all the information you need and even do the merging without using the Hyper-V manager GUI.

You may also want to grab copies of the other files present in the same root directory as the VHD & AVHD files, specifically the *.BIN files, which is a saved version of the virtual host's memory. The XML file contains information about the virtual host's configuration, including how much memory it was allocated, etc.

Thursday, February 20, 2014

EnCase EnScript to parse out the VS_VERSION_INFO resource in executables

I wrote this EnScript awhile ago in order to quickly parse out the string resources inside an executable to assist in determining if it was suspicious.

Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise.

The information in this resource is what is displayed if/when you right-click on an executable in Windows and  choose the "details" tab.

Looking at this information, while not authoritative or definitive, can commonly give you some initial hints about the legitimacy of a file and/or if it has been renamed from when it was originally compiled. 

The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark). For example, if I came across an executable in EnCase with the name of "cmd.exe", I can run the EnScript, which will output the following:

This technique goes way back when I wrote the EnScript to extract the embedded icons in an executable. Since EnCase does not show you a graphical representation of the embedded icon, which could be quickly identified or recognized regardless of the filename, I wrote that EnScript in 2005.

This EnScript follows the same line of thinking since there is no easy/quick way to see the VS_VERSION_INFO resource in a file from within EnCase. The raw VS_VERSION_INFO data looks like this in EnCase when looking at the specific data inside a file:

To use, simply check the executable you want to parse and run the EnScript. Each file will get its own bookmark and the formatted text will be displayed in the console tab.

Download EnCase v6 EnScript here

Saturday, February 1, 2014

EnScript to create EnCase v7 hash set from text file

It has been nearly seven years since I posted an EnScript to import hash values from a text file and create a EnCase v6 hash set. That EnScript still remains popular to this day.

The EnScript linked below was written to basically do the same thing for EnCase v7. The hash values in EnCase v7 are stored completely different than in v6 and while I had to create the hash sets in EnCase v6 from scratch, EnCase v7 includes an EnScript API to create the new hash set using the new format.

It still surprises me to this day though that EnCase does not have a feature to import a list of hash values into a hash set from a simple text file. So many examiners and incident responders obtain plain text files that contain hash values from 3rd party tools and commonly don't have the original file, especially with malware databases like Virus Total and Virus Share that provide hash values but you don't necessarily have the file itself to obtain the hash value on your own.

This EnScript was written to read a text file with up to three fields per line:


The order of the fields are not important, they can be in any order. The delimiter can be a space, tab or comma and there should not be a header row with field labels. The EnScript was designed to read/parse an ANSI text file.

Here is a sample input file from

The lines above with the '#' are automatically ignored.

Here is another example file that contains three fields (MD5, SHA1, logical size)  that were extracted from here: using awk:

The above example is a text file that contains the MD5SHA1 that was extracted using AWK.
Once you have a text file with the hash values you want to use (second hash value and logical size are optional), run the EnScript and select the text file:

Specify a name (it will be the name of the directory created that contains all the hash indexes as well as the name displayed inside the EnCase Hash library Manager), Category and a Hash Set Tag.
Once run, a directory containing the EnCase v7 hash set indexes will be created in the default export folder for your case:
You can now add the hash set using the EnCase Manage Hash Library option:


Wednesday, January 29, 2014

EnCase EnScript (v6 & v7) to parse Skype chatsync files for IP addresses (internal & external) of each user

Most people are aware of the SQLite databases that Skype uses and the information they contain. Another common file associated with a Skype chat is the 'chatsync' file. This file is a proprietary format and it contains some very useful information, such as the user names of the people in the chat (even group chats).

In addition to the usernames of each user, each user's local (LAN) and external (WAN) IP addresses are often recorded in this file. This information can be very useful in helping identify or locating a particular user during a specific time. A chatsync file is generally created for each shat "session'.

The beginning of a chatsync file will appear like this:

You can select (blue check) any/all chatsync files in EnCase v6 or 'tag" them with 'chatsync in EnCase v7 and run the below linked EnScript. This EnScript will parse out the IP addresses and write them to the console as well as bookmark the artifacts.

Download Encase EnScript (v6 & v7) here

Tuesday, January 21, 2014

Quick EnCase v6 & v7 EnScript to find files that have been encrypted by Cryptolocker

Many companies and individuals are struggling with the cryptolocker malware that has been making its rounds the past few months. Some have opted to pay, some have taken the loss and reverted to backups (remember those?) , while others have tried to do some data recovery.

I wanted a way to quickly identify the files that have been encrypted by the malware. Finding files on a single host is not such a big deal, but when you have files that are scattered throughout a network share and a host that has access to that share has been infected, things can get very ugly very quick.

One of the first things any enterprise would need to do is identify the files that have been affected. Luckily enough, the authors of the malware provide a mechanism to see a list of files that were encrypted by clicking the "here" link on the ransom message:

The only downside to this approach is that when you suddenly find files on a network share that won't open and appear corrupted (because they wont open and look like random garbage inside) and employees do not realize that someone's host was infected and reached out and encrypted a bunch of files on the network share(s). Now comes the task of identifying all those files so you can quickly get them back from a previous backup (yeah, right).

Files that are encrypted with Cryptolocker are encrypted with AES256 and then the key used to encrypt that file is wrapped in a RSA public key. When a file is encrypted, the RSA blob (that has the encrypted AES key) and a hash of the blob are appended to the beginning of the file.

Therefore, this EnScript quickly looks at every file (regardless of extension) and checks for this unique 'header'. If found, it will bookmark those files for easy identification.

Download here EnCase EnScript v6 & v7 

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles