Comments on Computer Forensics, Malware Analysis & Digital Investigations: If you could have any EnScript or filter, what wo...

I have seen an Enscript like this once, but I do n...

2010-07-08T12:58:32.680-07:00

I have seen an Enscript like this once, but I do not have it.

This enscript goes through the computer and finds all prefetch files and pulls the data out of them into a spreadsheet. The data that it pulls shows the name of the file, its location, and the previous times that it was ran. This script would be of great use in my investigations. Any help would be appreciated.

Brannon Raines
brannon.raines@wellsfargo.com

I would like to see an. EnScript that parses gigat...

2010-06-16T20:24:16.150-07:00

I would like to see an. EnScript that parses gigatribe chat files into a readable format.

Tom Bell
KYOAG
tom.bell@ag.ky.gov

AccessData's registry viewer product has a near fe...

2009-04-22T12:21:00.000-07:00

AccessData's registry viewer product has a near feature called Auto RSR. This allows one to generate a registry report and include whichever keys desired. Something like this would make a nice Enscript. Especially if it gave the option to parse restore points.

I would like an EnScript that will parse DHCP hist...

2009-04-10T12:29:00.000-07:00

I would like an EnScript that will parse DHCP history out of the registry restore points. i.e. I would like it to find, mount, and parse each restore point on the hard drive and list the following:

Assigned DHCP assigned IP Address
IP address Lease Start date/time
IP address Lease End date/time

It would be nice if it presented it in an easy to read timeline format.

I'm looking for an enscript that will export all s...

2009-03-23T09:45:00.000-07:00

I'm looking for an enscript that will export all selected files and rename them to either include the file name and/or the md5 with the correct extension appended to the end. Ideas?

Carlos,You might want to take a look at P2P Marsha...

2009-03-23T06:54:00.000-07:00

Carlos,
You might want to take a look at P2P Marshal for P2P stuff, funded by the NIJ.
http://p2pmarshal.atc-nycorp.com/
Though i should warn you its not perfect in my experience (others seem to like it - thought its missed stuff for me on partial installations).
Rich

Hi I am with DHS-Immigration and Customs Enforceme...

2009-02-26T15:28:00.000-08:00

Hi
I am with DHS-Immigration and Customs Enforcement (ICE), Computer Forensic Lab at Puerto Rico.

What I like to see is and Enscrip to check Local User Profile for all other Chat Clients (Yahoo, MSN, etc.)Chat logs

P2P download Logs (Bittorrent, Limewire etc.)

Somehting that makes a quick report of their file trading and activity for tracking Child Porn.

carlos.a.negron@dhs.gov

Hi Mueller,Can a Enscript be written which can par...

2009-02-25T03:29:00.000-08:00

Hi Mueller,

Can a Enscript be written which can parse the live memory for gtalk chats and store the results in bookmark. I want gtalk only as they are not stored on the local machines.

Kush Wadhwa
(kushwadhwa@gmail.com)

I'd love an EnScript that would convert all the se...

2009-01-30T16:27:00.000-08:00

I'd love an EnScript that would convert all the selected items to PDF with Bates numbers. Yes, I can do this by hand. Yes, it is better done by other tools, but I'm ending up doing "ediscovery in the field" more often than I'd like.

How about a script that would linearly copy out un...

2008-11-11T13:59:00.000-08:00

How about a script that would linearly copy out unallocated space, unused disk area, pagefile.sys, hiberfil.sys and start the hashing process one after the other as not to kill the machine?
Thanks a lot for this blog, it is very useful!

Lance, sorry to butt in without a suggestion for a...

2008-11-10T11:37:00.000-08:00

Lance, sorry to butt in without a suggestion for a script but I was reading the suggestions when I saw that "a" was asking for a script which " parses out and bookmarks the ramnents of (live)messenger out selected files (unallocated/pagefile/hyberfil)". If this is referring to MSNP remnants of conversation my colleague has already done this - http://computerforensics.parsonage.co.uk/downloads/MSNTextFragmentsFinder.zip
H

How about being able to do anything from Enscript ...

2008-11-08T05:57:00.000-08:00

How about being able to do anything from Enscript that you can do from the GUI. Ever hear of automation? You can only recover folders when you add a device in v6. However, last I checked, you can't programmatically add a multi-file dd style image. In all honesty, though, I have stayed away from v6 because I get "Out of Memory" errors when I approach a large number of "files". The same case doesn't give me problems in v5 but alas, v5 is even worse with automation, can't perform a sig and hash search.

Lance...How about an EnScript that will rip throug...

2008-10-31T13:10:00.000-07:00

Lance...

How about an EnScript that will rip through the registry based on the white paper and spreadsheet that I sent you...

Dan P.

How about a "First Run" script which combines come...

2008-10-29T21:11:00.000-07:00

How about a "First Run" script which combines come of the basics and outputs into a csv format with date being the first column and time the second column. For example the basics could include:
-USB Information
-Mounted Drives
-Parse Link Files
-MAC of all files between dates
-Event logs(Limited to default locations)
-MRU's from Registry
-WEP
-Printers
-Prefetch
-Internet History (Limited to default locations)
etc

Although some of these scripts currently exist they do not output in a standardized format. The "First Run" script would mean a first responder could get an instant report on scene of the basics immediately after imaging has been completed.

I'd like and EnScript that leveraged Volatility (a...

2008-10-29T07:28:00.000-07:00

I'd like and EnScript that leveraged Volatility (a.k.a. the greatest thing since sliced bread) against a mem dump file. The GUI popup would allow the user to 'check box' the various Volatility command line options. The output would be a CSV file and would appropriately associate the output of the selected options to the correct process (PID). The idea is that it creates an easy read on a per process level. Volatility provides a lot of disparate info on each process. This EnScript would essentially format the Volatility output in a "makes sense" manner.

An easy, but always requested one:Dialog-"Where", ...

2008-10-28T07:55:00.000-07:00

An easy, but always requested one:
Dialog-"Where", and "Named"
Output-Case Folder Structure!
(with an option for For/eDisc/Inv/etc)

I would like an enscript that creates a timeline o...

2008-10-27T07:44:00.000-07:00

I would like an enscript that creates a timeline of every entry in the case, I have found the timeline functionality of encase unstable and awkward to work with. By all entries I mean MAC times, Reg c times, Internet history access/update times, and other user defined times (such as network logs, etc.). This way, an investigator can create a timeline of all of the events on the system and use it to rebuild the history. He will be able to integrate the network/system logs to correlate these events.

I would like to see an enscript that diffs active ...

2008-10-27T07:36:00.000-07:00

I would like to see an enscript that diffs active registry files and system restore points registry files and exports only the changes

Hans,That's a good idea, but it can already be eas...

2008-10-24T08:51:00.000-07:00

Hans,

That's a good idea, but it can already be easily accomplished without an EnScript in about 20 seconds using a condition.

Just take your list of paths/files that you want to know about and create a condition that says "if full path contains" and then paste your list of paths, then run. The only files that will be shown to you are those that match your path criteria.

Interesting things enscriptI would like a solution...

2008-10-24T08:33:00.000-07:00

Interesting things enscript

I would like a solution for a quick scan of interesting things that possible resides on a Windows disk.
Purpose is to find out which interesting things resides in the data. Its purpose is not to export or carve data. Just knowing that interesting things are present is enough to set up a plan to investigate that data.

The script should look for particular file names/file path/extensions

The script should pick the particular names, etc. from a reference file. Every investigator should be able to edit the reference file, so he/she can put in names/path/etc. he/she wishes to be searched for. I think this will be a great solution for investigators all over the World. In many cases particular software, software names and (path) names are language/country dependent.

A further advantage is, that the investigator self decides what he/she is looking for.

Further Info

I would like to have an Enscript that parses out a...

2008-10-23T23:53:00.000-07:00

I would like to have an Enscript that parses out and bookmarks the ramnents of (live)messenger out selected files (unallocated/pagefile/hyberfil)

I would like to have an Enscript witch can map/par...

2008-10-23T10:25:00.000-07:00

I would like to have an Enscript witch can map/parse the Vista-Filenames/paths to the Thumbscache entries.

Some interesting ideas so far. Albee, keep dreamin...

2008-10-22T19:33:00.000-07:00

Some interesting ideas so far. Albee, keep dreaming! ;)

Paul Bobby, what kind of information are you interested in from the DCOM database?

Skype is a good idea.

Larry, I think I can modify the script I have posted here to do what you want.

Keep the ideas coming!

Producing forensic evidence from the DCOM database...

2008-10-22T16:09:00.000-07:00

Producing forensic evidence from the DCOM database files on a deadbox hard drive.

I would love to have an Enscript that can parse th...

2008-10-22T15:43:00.000-07:00

I would love to have an Enscript that can parse the meta data out of office files in bulk (i.e. All checked files) and would write them to a tab delimited text file I can import and post process in a database.