Saturday, May 23, 2015

EnCase v7 EnScript to check files to VirusTotal - Updated

In October 2013, I wrote an EnScript that checked files that are tagged with the "VirusTotal" tag to VirusTotal. That original EnScript simply calculated the hash value of the tagged files and then sent it to VirusTotal for evaluation using their API. The original EnScript used an external EXE (VTBookmark.exe) that I wrote in C# to do the actual communication to the VirusTotal website.

I have updated this EnScript to include the name of the detected malware that each AV product associates with the hash value. 

I have also rewritten it to no longer require the external "VTBookmark.exe" application. All the processing and communications are handled natively by EnScript now.

When using this EnScript, any hash value that has a positive value (> 0) is bookmarked. The console pane will display the status of each hash value, but only those with a positive value are bookmarked.  Each hash value can have one of three values:
  1. A score of '0' signifies a hash value that is known to VirusTotal, but is not identified by any of the AV products as a risk.
  2. A score greater than zero (> 0) represents the number of AV products that recognize the hash value as a potential risk
  3. A score of '-1' signifies a hash value that is unknown to VirusTotal. This means the file contents have never been sent and/or analyzed by the AV products.
VirusTotal restricts the use of a public API key to four requests per minute. Therefore, if you tag more than four files, the EnScript will pause in order to wait for the time restriction applied to public (free) API keys. The console will indicate when this is happening:

When run, you can choose to tag specific files (recommended when using a public API key) or not have any 'VirusTotal' tag and the EnScript will conduct a file signature analysis and send the hash values of all identified executable files to Virus Total (recommended only if you have a private API key).

This EnScript can be used with a private VirusTotal key with no time limit restrictions and can process several thousand hash values per hour.

Download v7 EnScript here

Thursday, May 21, 2015

CEIC 2015 - EnScripting for EnVestigators

Below is a link to the slides from my presentation at CEIC 2015, as well as some example EnScripts.

PPT slides
Example EnScripts

Sunday, May 10, 2015

EnCase v7 EnScript to create LEF based on condition

A reader recently asked if I could create an EnScript that would create a LEF based on a condition. Unfortunately, the reader wanted to use it with the free EnCase Imager program, which does not support creating LEFs or using the ConditionClass.

However, I did create an EnScript that can be used with EnCase Forensic/Enterprise, which will create a LEF based on condition criteria that you can define.

When run, the EnScript will ask for a location where to save the logical evidence file. The EnScript will initially assume the case default export folder unless set otherwise:

The EnScript will then go through all the devices/evidence files loaded in the case and apply a condition that you can define:

 The EnScript will create a LEF containing all the files that match the criteria you define. A separate LEF is created for each device/evidence file:


Tuesday, May 5, 2015

EnCase v7 EnScript to Parse PST Email Metadata to Excel

A friend recently asked me for an easy way to export some of the common metadata from a PST file within EnCase. You can easily export data from the records view and even include columns that are not typically displayed by selecting the small down-arrow on the far right side and select the columns you want displayed:

But he wanted a way to quickly show some of the common fields, including attachments, in a spreadsheet. This EnScript grabs some of the common fields and builds an Excel spreadsheet automatically:

This EnScript requires Microsoft Excel be installed on the same computer where it is run from. When run, the EnScript will parse all .PST file found in the case.

 Download here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles