Sunday, November 14, 2010

EnCase filter that uses MSSQL for faster filtering of files by hash values

OIiver Höpli from Switzerland recently emailed me to provide a filter he wrote that may be very useful to some EnCase users. With his permission, I am posting the filter and the description provided by him.


"The script is similar to the "Unique Files by Hash" filter provided by Guidance.
Because the script uses an MSSQL server for storing the hashes and not a NameListClass, it is much faster. In tests it filters about 220,000 entries in 3 minutes. Also the displayed filter applying time is really close to the total time that the filter would actualy run.


To use this script, you have to had a running insance of MSSQL Server local or in your network.
Please use credentials with enough permission to create and modify databases and tables.

The filter creates a table per dongle ID. So you could use this filter simultaneously on different EnCase installations in your lab. Please do not run the filter simultaneously on 2 or more EnCase instances on the same examiner machine.

The express edition of the MSSQL Server 2008 R2 (free available) could be downloaded from:
http://www.microsoft.com/germany/express/products/database.aspx"


Download here

EnCase filter that uses MSSQL for faster filtering of files by hash values

OIiver Höpli from Switzerland recently emailed me to provide a filter he wrote that may be very useful to some EnCase users. With his permission, I am posting the filter and the description provided by him.



"The script is similar to the "Unique Files by Hash" filter provided by Guidance.
Because the script uses an MSSQL server for storing the hashes and not a NameListClass, it is much faster. In tests it filters about 220,000 entries in 3 minutes. Also the displayed filter applying time is really close to the total time that the filter would actualy run.


To use this script, you have to had a running insance of MSSQL Server local or in your network.
Please use credentials with enough permission to create and modify databases and tables.

The filter creates a table per dongle ID. So you could use this filter simultaneously on different EnCase installations in your lab. Please do not run the filter simultaneously on 2 or more EnCase instances on the same examiner machine.

The express edition of the MSSQL Server 2008 R2 (free available) could be downloaded from:

http://www.microsoft.com/germany/express/products/database.aspx"


Download here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles