Monday, December 28, 2015

EnCase v7 EnScript to export files by extention

This is an updated version of an EnScript I wrote in 2009 to export files in a case based on file extensions. The original description & EnScript is here.

This version was rewritten for EnCase v7 with exactly the same functionality.

Download v7 here

Friday, November 6, 2015

EnCase EnScript to find files on remote systems by MD5 hash - GO FETCH!

I have had a few recent requests for an EnCase Enterprise EnScript to help find files on remote systems. The following EnScript accepts a plain text file (ASCII or Unicode) that contains MD5 hash values, one per line. The EnScript also contains a condition feature that allows the user to refine what files on the remote system they want to hash and compare to the list. Choose a text file, define a condition, go fetch.

The logical choice is to define a condition that contains specific file sizes (logical size). This will cause the EnScript to only hash the remote files that match the file sizes (or path or other criteria) you specify, dramatically speeding up the searching process.

The initial screen prompts for the role, a list of target systems (hostnames, IP addresses or IP ranges) you want to search and a text file that contains MD5 hash values:

The next screen allows you to define a condition. I strongly recommend using the logical size to reduce the number of remote files that need to be hashed and then compared with your list. If you do not have logical sizes of the files you want to search for, you can use other criteria such as name, path or other metadata, if feasible. Its important to remember that this is a normal condition used by EnCase, therefore if you do not specify any criteria (and leave it blank), no remote files will match that criteria and no files will ever match. So, if you do not have any criteria to help refine and reduce the remote files that need to be hashed and compared, you need to at least define a filter that includes everything, such as logical size >0.

Once launched, any files that match your filter criteria are hashed and then compared against the list of MD5 hash values you provided. If a file's MD5 matches, a LEF is created (in the case's default export folder) that contains all the files on that volume & host that match the MD5 hash values. Original paths are maintained:


Saturday, May 23, 2015

EnCase v7 EnScript to check files to VirusTotal - Updated

In October 2013, I wrote an EnScript that checked files that are tagged with the "VirusTotal" tag to VirusTotal. That original EnScript simply calculated the hash value of the tagged files and then sent it to VirusTotal for evaluation using their API. The original EnScript used an external EXE (VTBookmark.exe) that I wrote in C# to do the actual communication to the VirusTotal website.

I have updated this EnScript to include the name of the detected malware that each AV product associates with the hash value. 

I have also rewritten it to no longer require the external "VTBookmark.exe" application. All the processing and communications are handled natively by EnScript now.

When using this EnScript, any hash value that has a positive value (> 0) is bookmarked. The console pane will display the status of each hash value, but only those with a positive value are bookmarked.  Each hash value can have one of three values:
  1. A score of '0' signifies a hash value that is known to VirusTotal, but is not identified by any of the AV products as a risk.
  2. A score greater than zero (> 0) represents the number of AV products that recognize the hash value as a potential risk
  3. A score of '-1' signifies a hash value that is unknown to VirusTotal. This means the file contents have never been sent and/or analyzed by the AV products.
VirusTotal restricts the use of a public API key to four requests per minute. Therefore, if you tag more than four files, the EnScript will pause in order to wait for the time restriction applied to public (free) API keys. The console will indicate when this is happening:

When run, you can choose to tag specific files (recommended when using a public API key) or not have any 'VirusTotal' tag and the EnScript will conduct a file signature analysis and send the hash values of all identified executable files to Virus Total (recommended only if you have a private API key).

This EnScript can be used with a private VirusTotal key with no time limit restrictions and can process several thousand hash values per hour.

Download v7 EnScript here

Thursday, May 21, 2015

CEIC 2015 - EnScripting for EnVestigators

Below is a link to the slides from my presentation at CEIC 2015, as well as some example EnScripts.

PPT slides
Example EnScripts

Sunday, May 10, 2015

EnCase v7 EnScript to create LEF based on condition

A reader recently asked if I could create an EnScript that would create a LEF based on a condition. Unfortunately, the reader wanted to use it with the free EnCase Imager program, which does not support creating LEFs or using the ConditionClass.

However, I did create an EnScript that can be used with EnCase Forensic/Enterprise, which will create a LEF based on condition criteria that you can define.

When run, the EnScript will ask for a location where to save the logical evidence file. The EnScript will initially assume the case default export folder unless set otherwise:

The EnScript will then go through all the devices/evidence files loaded in the case and apply a condition that you can define:

 The EnScript will create a LEF containing all the files that match the criteria you define. A separate LEF is created for each device/evidence file:


Tuesday, May 5, 2015

EnCase v7 EnScript to Parse PST Email Metadata to Excel

A friend recently asked me for an easy way to export some of the common metadata from a PST file within EnCase. You can easily export data from the records view and even include columns that are not typically displayed by selecting the small down-arrow on the far right side and select the columns you want displayed:

But he wanted a way to quickly show some of the common fields, including attachments, in a spreadsheet. This EnScript grabs some of the common fields and builds an Excel spreadsheet automatically:

This EnScript requires Microsoft Excel be installed on the same computer where it is run from. When run, the EnScript will parse all .PST file found in the case.

 Download here

Wednesday, April 1, 2015

EnCase v7 EnScript to carve RecentFileCache.bcf data from selected file(s)

The following EnScript can be used to quickly search for and parse RecentFileCache data from memory images, unallocated space or the allocated RecentFileCache.bcf file.

To use, simple blue check whatever file(s) you want to process, then run the EnScript.

Output is to the console and bookmarks:


Download EnCase v7 EnScript here

EnCase v7 EnScript to report on file types by extension

Several years ago I wrote a quick EnScript to produce a quick report of how many files with each extension were found in the case. That EnScript was originally written for EnCase v6 and not compiled so it could be used as a learning exercise.

I recently had a request to update this EnScript for EnCase v7 and to add the byte count for each extension.

The output goes to a TSV file in the case export folder and to the console:

Extension: txt    Count: 9    Size:6787
Extension: csv    Count: 16    Size:1357315
Extension: dat    Count: 9    Size:2129920
Extension: sqlite    Count: 4    Size:11272192
Extension: log    Count: 35    Size:4739968
Extension: evtx    Count: 9    Size:3772416
Extension: fls    Count: 1    Size:0
Extension: mft    Count: 1    Size:52166656
Extension: raw    Count: 1    Size:1073741824
Extension: pf    Count: 129    Size:7745128
Extension: db    Count: 7    Size:4099460
Extension: bin    Count: 1    Size:508
Extension: fx    Count: 5    Size:9060831

Download EnCase v7 EnScript Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles