Monday, August 18, 2014

EnCase v7 EnScript to find files based on MD5 hash values

I had written a version of this years ago for EnCase v6 and I was recently asked to update it for EnCase v7.

One EnScript listed below will generate a text files of SELECTED files. That text file can then be used on subsequent cases to help find/identify files with the same hash value.

To use, you do not need to generate hash values, the EnScript will do it automatically. The second EnScript is also optimized to first match file sizes first before generating/comparing hash values to help reduce the time needed for the comparison, thus saving the need to hash everything in the case and then using a filter to identify files that match a particular hash set.

Any files found that match the size/hash value in the specified text file are bookmarked for later review/export.

Download v7 EnScript to create text file with name, size & hash for later comparison
Download v7 EnScript to do comparison 

3 comments:

Brian Rosenthal Tuesday, 31 March, 2015  

Hello Lance,

Can you direct me to Encase 6 version of this script? Also, do you have or know of a script that takes a list of files and their full paths and tags them within the case?

Thanks,
Brian

Lance Mueller Tuesday, 31 March, 2015  
This comment has been removed by the author.
Lance Mueller Tuesday, 31 March, 2015  

Hi Brian,

Can you contact me at lance (at) forensickb (dot) com?

Lance

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles