EnCase v7 EnScript to carve RecentFileCache.bcf data from selected file(s)
The following EnScript can be used to quickly search for and parse RecentFileCache data from memory images, unallocated space or the allocated RecentFileCache.bcf file.
To use, simple blue check whatever file(s) you want to process, then run the EnScript.
Output is to the console and bookmarks:
c:\windows\system32\lsass.exe
c:\windows\system32\lsm.exe
c:\windows\system32\oobe\windeploy.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\winsat.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\mcbuilder.exe
c:\windows\system32\winhost.exe
c:\windows\system32\logonui.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\userinit.exe
Download EnCase v7 EnScript here
To use, simple blue check whatever file(s) you want to process, then run the EnScript.
Output is to the console and bookmarks:
c:\windows\system32\lsass.exe
c:\windows\system32\lsm.exe
c:\windows\system32\oobe\windeploy.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\winsat.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\mcbuilder.exe
c:\windows\system32\winhost.exe
c:\windows\system32\logonui.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\userinit.exe
Download EnCase v7 EnScript here
ShareThis
Posts
2 comments:
What filters does EnCase not support?
Sorry, I am not sure I understand what you are asking?
Post a Comment