EnCase EnScript to find files on remote systems by MD5 hash - GO FETCH!

I have had a few recent requests for an EnCase Enterprise EnScript to help find files on remote systems. The following EnScript accepts a plain text file (ASCII or Unicode) that contains MD5 hash values, one per line. The EnScript also contains a condition feature that allows the user to refine what files on the remote system they want to hash and compare to the list. Choose a text file, define a condition, go fetch.

The logical choice is to define a condition that contains specific file sizes (logical size). This will cause the EnScript to only hash the remote files that match the file sizes (or path or other criteria) you specify, dramatically speeding up the searching process.

The initial screen prompts for the role, a list of target systems (hostnames, IP addresses or IP ranges) you want to search and a text file that contains MD5 hash values:

 

The next screen allows you to define a condition. I strongly recommend using the logical size to reduce the number of remote files that need to be hashed and then compared with your list. If you do not have logical sizes of the files you want to search for, you can use other criteria such as name, path or other metadata, if feasible. Its important to remember that this is a normal condition used by EnCase, therefore if you do not specify any criteria (and leave it blank), no remote files will match that criteria and no files will ever match. So, if you do not have any criteria to help refine and reduce the remote files that need to be hashed and compared, you need to at least define a filter that includes everything, such as logical size >0.

 

Once launched, any files that match your filter criteria are hashed and then compared against the list of MD5 hash values you provided. If a file's MD5 matches, a LEF is created (in the case's default export folder) that contains all the files on that volume & host that match the MD5 hash values. Original paths are maintained:

 

 

EnCase v7 download here