Search for keyword in selected file(s) and then parse till double CRLF

A friend contacted me this past week about a problem he was having parsing a large amount of data in unallocated. He had been searching for specific data that used to be in a text file and had since been deleted, but was still in unallocated. The data had a pretty logical structure, something like this:

label1:field1 label2:field2 label3:field3
label4:field4 label5:field5 label6:field6

label1:field1 label2:field2 label3:field3
label4:field4 label5:field5 label6:field6

.....

He wanted to parse out the data back into a text file so he could process it some more, but it needed to be one complete record per line. I wrote an EnScript that asks for a keyword. The keyword should be a unique keyword, that in this case was the text "label1" found at the begining of each record. The EnScript then parses from the keyword hit until it reaches a double CRLF. It then prints out the parsed data on one line to the Console tab.

Here is an example of the text in text view within EnCase:



So in this example, you would run the EnScript and enter a unique keyword that is found at the begining of each line, in this case "label1" appears at the beginning of each line and the EnScript will parse from the keyword hit until a double CRLF is encountered.



The result looks like this in the console tab:



I figured I would post the EnScript in case anyone else has a use for it.

Download Here

Search for Windows 64 bit TIMESTAMPS

The NTFS file system is pretty verbose and redundant. With the introduction of Windows Vista, there is even more file system redundancy with the Volume Shadow Service (VSS). Windows uses a 64 bit timestamp to track most file system events (created, accessed, written, modified). This 8 byte value represents the number of 100-nanosecond intervals that have passed since midnight UTC, January 1, 1601.

There have been many times where I have found myself searching for these Windows timestamps in the various internal files. EnCase and most of the other forensic tools show you the contents of the master file table (MFT), but what if the reference to the file and folder is no longer there?

On several occasions I have found references to files/folders in the $LogFile and unallocated space that were of interest. Most times I found them because I was searching for a specific filename and I uncovered the record or I stumbled across it. In those cases, I found myself trying to craft a GREP expression to then lock onto any other Windows TIMESTAMPS that were for the time frame. As an example, the screenshot below is of an MFT record that is in the $LogFile:



This EnScript basically takes a starting date/time combination and then an ending date/time combination and generates an appropriate GREP search expression for that date range. It then searches any selected (checked) files for that date range and then bookmarks the findings. Because Windows timestamps are very granular and accurate down to a 100 nanosecond interval, exact date/time matching is impossible, but its very close depending on the size of your date range. Smaller date ranges (a couple of days) will be much more accurate than large date ranges (several months).



The option at the bottom allows you to look for consecutive timestamps, i.e. a timestamp matching your date range, followed by another timestamp, not necessarily in your date range. This is if you want to specifically look for orphaned MFT records in unallocated or the $Logfile, since an MFT record has eight timestamps, a group of four consecutive timestamps and then another group of four, then setting this option would only find those types of records.



This EnScript bookmarks any found timestamps and then reads the timestamp and places it in the comment field for sorting purposes. The timestamp in the comment field is GMT and your case settings have no effect on it. If you choose to sweep the timestamp and view it through the bookmark styles, then your case timezone setting applies.



Download here

Keyword search with exclusion list - Beta

**Updated version now available - v1.5 (case sensitive & user-definable bookmark folder name)

An EnCase user contacted me about a problem he was having searching for a fairly common keyword and how he could exclude certain preceding or proceeding words that were adjacent to the core keyword.

Regular GREP expressions allow you to do this, but the EnCase version of GREP currently does not support using the NOT operator ("^") against multiple characters. So for example if you wanted to search for the keyword of "install". When the search was done, you may have thousands of hits, but see that the majority of them are a word like "clientinstall", and/or 10 other combinations of the keyword of "install" like windowsinstall, installapp, applicationinstall etc.. The EnCase version of GREP DOES allow the NOT character to be used such as this example:

[^t]install

This would find the keyword "install" as long as there was no preceding "t" character before it. This example would eliminate the term clientinstall" as I indicated above, but it would also eliminate all other possible keyword hits that may have the letter "t" preceding the keyword of "install", such as "statinstall", which I may want.

So to get around this scenario, I wrote an EnScript that asks for a keyword. It then also asks for a list of exclusion words (it can be pasted into the window). The EnScript then search ALL SELECTED items for ANSI and UNICODE occurrences of the keyword. It then reads the characters before and after the keyword hit to see if the hit is one of the exclusions you provided, if so, it skips the hit and moves on to the next hit. If the characters before and after do not match what you provided in the exclusion list, then it will bookmark it.

Using the example above, I ran the EnScript and entered "install" as my keyword. I then entered a list of exclusion words, such as:

productinstall
uninstall
appinstall
installapplication

Here is a screenshot of the three fields that require input:



The results exclude any keyword hits that are part of the exclusion list:



This is a beta version and it has not been tested completely. Please feel free to download and try and post any comments, bugs, suggestions.

Download v6 version here