Saturday, May 23, 2015

EnCase v7 EnScript to check files to VirusTotal - Updated

In October 2013, I wrote an EnScript that checked files that are tagged with the "VirusTotal" tag to VirusTotal. That original EnScript simply calculated the hash value of the tagged files and then sent it to VirusTotal for evaluation using their API. The original EnScript used an external EXE (VTBookmark.exe) that I wrote in C# to do the actual communication to the VirusTotal website.

I have updated this EnScript to include the name of the detected malware that each AV product associates with the hash value. 

I have also rewritten it to no longer require the external "VTBookmark.exe" application. All the processing and communications are handled natively by EnScript now.

When using this EnScript, any hash value that has a positive value (> 0) is bookmarked. The console pane will display the status of each hash value, but only those with a positive value are bookmarked.  Each hash value can have one of three values:
  1. A score of '0' signifies a hash value that is known to VirusTotal, but is not identified by any of the AV products as a risk.
  2. A score greater than zero (> 0) represents the number of AV products that recognize the hash value as a potential risk
  3. A score of '-1' signifies a hash value that is unknown to VirusTotal. This means the file contents have never been sent and/or analyzed by the AV products.
VirusTotal restricts the use of a public API key to four requests per minute. Therefore, if you tag more than four files, the EnScript will pause in order to wait for the time restriction applied to public (free) API keys. The console will indicate when this is happening:

When run, you can choose to tag specific files (recommended when using a public API key) or not have any 'VirusTotal' tag and the EnScript will conduct a file signature analysis and send the hash values of all identified executable files to Virus Total (recommended only if you have a private API key).

This EnScript can be used with a private VirusTotal key with no time limit restrictions and can process several thousand hash values per hour.

Download v7 EnScript here


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles