EnCase EnScript to parse out the VS_VERSION_INFO resource in executables
I wrote this EnScript awhile ago in order to quickly parse out the string resources inside an executable to assist in determining if it was suspicious.
Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise.
The information in this resource is what is displayed if/when you right-click on an executable in Windows and choose the "details" tab.
The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark). For example, if I came across an executable in EnCase with the name of "cmd.exe", I can run the EnScript, which will output the following:
This technique goes way back when I wrote the EnScript to extract the embedded icons in an executable. Since EnCase does not show you a graphical representation of the embedded icon, which could be quickly identified or recognized regardless of the filename, I wrote that EnScript in 2005.
This EnScript follows the same line of thinking since there is no easy/quick way to see the VS_VERSION_INFO resource in a file from within EnCase. The raw VS_VERSION_INFO data looks like this in EnCase when looking at the specific data inside a file:
Download EnCase v6 EnScript here
Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise.
The information in this resource is what is displayed if/when you right-click on an executable in Windows and choose the "details" tab.
Looking at this information, while not authoritative or definitive, can commonly give you some initial hints about the legitimacy of a file and/or if it has been renamed from when it was originally compiled.
The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark). For example, if I came across an executable in EnCase with the name of "cmd.exe", I can run the EnScript, which will output the following:
This technique goes way back when I wrote the EnScript to extract the embedded icons in an executable. Since EnCase does not show you a graphical representation of the embedded icon, which could be quickly identified or recognized regardless of the filename, I wrote that EnScript in 2005.
This EnScript follows the same line of thinking since there is no easy/quick way to see the VS_VERSION_INFO resource in a file from within EnCase. The raw VS_VERSION_INFO data looks like this in EnCase when looking at the specific data inside a file:
To use, simply check the executable you want to parse and run the EnScript. Each file will get its own bookmark and the formatted text will be displayed in the console tab.
Download EnCase v6 EnScript here
ShareThis
Posts
0 comments:
Post a Comment