Thursday, April 10, 2014

EnCase v7 EnScript to quickly provide MD5/SHA1 hash values and entropy of selected files

I recently had the need to quickly triage and hash several specific files within a case, but I did not want to (or possibly could not) run the "process evidence" option to generate hash values for *all* files.

EnCase v7 has the ability to generate hash values of selected files through the right-click context menu->Entries->Hash/Sig Selected files.




The downside to this option is that it requires you to close the "evidence" tab and then reopen it, causing you to lose your place/highlighted file.

So I wanted a way to quickly generate the MD5 & SHA1 hash so that I could paste to VirusTotal or use it in some other manner without having to process the entire evidence file and/or reload the evidence tab.

This EnScript will compute the MD5/SHA1 hash value and entropy of each selected (blue checked) file. Due to the way EnCase v7 handles "selected" files now, you must be in the "evidence" tab, select the files you want to process wih the EnScript, then run the EnScript. If you select the files and move to another tab, then run the EnScript, it will not work.

When you run the EnScript, the data will be displayed in the console tab and bookmarks are created:



 

This allows you to quickly generate a hash value and do something with it (copy & paste) without losing your current view state.

Download EnCase v7 here

(v6 has the ability to do this already, no v6 EnScript is needed)

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles