Wednesday, April 1, 2015

EnCase v7 EnScript to carve RecentFileCache.bcf data from selected file(s)

The following EnScript can be used to quickly search for and parse RecentFileCache data from memory images, unallocated space or the allocated RecentFileCache.bcf file.

To use, simple blue check whatever file(s) you want to process, then run the EnScript.

Output is to the console and bookmarks:

c:\windows\system32\lsass.exe
c:\windows\system32\lsm.exe
c:\windows\system32\oobe\windeploy.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\winsat.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\mcbuilder.exe
c:\windows\system32\winhost.exe
c:\windows\system32\logonui.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\userinit.exe

Download EnCase v7 EnScript here

EnCase v7 EnScript to report on file types by extension

Several years ago I wrote a quick EnScript to produce a quick report of how many files with each extension were found in the case. That EnScript was originally written for EnCase v6 and not compiled so it could be used as a learning exercise.

I recently had a request to update this EnScript for EnCase v7 and to add the byte count for each extension.

The output goes to a TSV file in the case export folder and to the console:

Extension: txt    Count: 9    Size:6787
Extension: csv    Count: 16    Size:1357315
Extension: dat    Count: 9    Size:2129920
Extension: sqlite    Count: 4    Size:11272192
Extension: log    Count: 35    Size:4739968
Extension: evtx    Count: 9    Size:3772416
Extension: fls    Count: 1    Size:0
Extension: mft    Count: 1    Size:52166656
Extension: raw    Count: 1    Size:1073741824
Extension: pf    Count: 129    Size:7745128
Extension: db    Count: 7    Size:4099460
Extension: bin    Count: 1    Size:508
Extension: fx    Count: 5    Size:9060831

Download EnCase v7 EnScript Here


Computer Forensics, Malware Analysis & Digital Investigations

Random Articles