Thursday, March 20, 2014

EnCase EnScript to show file summary of user's profile by extension

This is another "quick hit" EnScript to generate a quick report on the types of files under a user's profile based on file extensions. The EnScript will automatically create an Excel spreadsheet, with a sheet for each user, showing the total number of files for each extension and the total number of bytes for each extension, percentage for each extension and total bytes for each summary. Folders and files with zero logical size are ignored:



Download EnCase v6 EnScript Here

Wednesday, March 19, 2014

EnCase EnScript to parse each NTUSER.DAT for RecentDocs

This EnScript is another "quick hit" to parse out all the recently accessed files recorded in the user's NTUSER.DAT.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

When run, it will parse each NTUSER.DAT and display the results in console, as well as automatically open Excel (Excel is required to be installed on the examiner's machine in order to use this EnScript) and create a worksheet for each user processed:


The EnScript will also create a bookmark for each user. It will put the date the registry key was last modified in the comment section of each file extension for consideration:



Download EnCase v6 here

EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT

This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user.

The EnScript checks the Software\Microsoft\Terminal Server Client\Default for each NTUSER.DAT and displays/bookmarks any values.



*The link below has been updated to an EnScript that can be run in either v6 & v7.

Download EnCase v6 & v7 here

Monday, March 17, 2014

*Updated* - EnCase EnScript to parse wireless network information for Vista, 7 & 8

I updated the original v6 & v7 EnScripts to now include the date the access point was first connected and the date it was last connected to:


 
Download EnCase v7 here

Thursday, March 13, 2014

EnCase EnScript to parse wireless network information for Vista, 7 & 8



This EnScript is an update to one I did several years ago for extracting wireless network information on Windows XP systems.

This EnScript supports Windows Vista, Windows 7 & 8. When run, it will search for any SOFTWARE registry hives (Single Files are supported) and extract some useful information and display it in the console as well as make a bookmark.

Example information:



Download EnCase v6 here
Download EnCase v7 here

EnCase EnScript to search for and parse prefetch files in unallocated

Carlos Cajigas and I were recently having dinner and talking over some EnScript ideas. He recommended an EnScript to search for prefetch data in unallocated and then if found, to parse it for some basic data. Prefetch data can be very useful when handling employee misconduct, criminal and malware cases, so I agreed to write one and name it the "losprefetcher" ;).

This EnScript will search Unallocated cluster, pagefile.sys and & $LogFile for the known file signature of a prefetch file (*.pf) and then if found, it will parse out the name of the executable, the last run time and run count. The parsed data is written to the console and to a bookmark:





Download EnCase v6 here
Download EnCase v7 here

Thursday, March 6, 2014

EnCase v7 EnScript to parse USNJRNL


It's hard to believe its been almost six years since I wrote the original EnCase v6  EnScript to parse the $USNJRNL file for Windows XP (when enabled), just as Vista was hitting the scene. Here is the original post and information.

Someone recently contacted me about a version that works in EnCase v7, so I figured I would post the updated version for others. This version works the same as the version written for EnCase v6. It recurses through all the objects in the case and parses the $USNJRNL•$J file. The parsed entries are written to the console as well as to a CSV file created in the case export folder.


The reason codes for what caused the entries to appear in the USNJRNL are referenced here:
http://msdn.microsoft.com/en-us/library/aa365722(VS.85).aspx

Download EnCase v7 EnScript here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles