Decode/Bookmark Base64 text in EnCase

I had a recent need to examine some php pages that were used to compromise a web server. Several of the php pages were obfuscated using base64 encoding to avoid detection. Therefore, I needed a quick way to decode base64 text and then bookmark the decoded text for later review.

The first step is to sweep the base64 text:



Next, run the EnScript and check the box if you want the decoded text bookmarked:



Once the EnScript is completed, you can check the console tab for the decoded text as well as look at the bookmark if you chose that option.





Remember that the length of the base64 encoded text should always be divisible by four. This is because four bytes of encoded text actually represents three decoded characters. This is why sometimes base64 text contains "=" characters at the end, which are used as null padding to make the length of the string divisible by four. The EnScript checks the length of the selected text and warns if you have selected either too many characters or too few:



Download here

Decoding encoded IIS logs

When doing intrusion investigations, I have run across IIS web logs that have encoded entries that were the product of a SQL injection attack. Many times the attacker will encode the web request that is sent to the webserver and then subsequently to the SQL server by using ASCII values for the characters or HEX values. There are several reasons for doing this and there are several automated tools that an attacker can use that will automatically encode the string he/she wishes to send.

For example, imagine the attacker wants to send the HTTP GET request of :
"id=999999 or select * from cctable"

You obviously cannot send spaces in a URL, so it would be rewritten as:
"id=999999%20or%20select%20*%20from cctable"

Special characters are also usually never explicitly represented so they too can be replaced by a ASCII representation or HEX value such as:
"id=999999%20or%20select%20char(42)%20from cctable"

This type of encoding makes reading and understanding what type of SQL commands the attacker is sending, very difficult. So I wrote an EnScript that does a simple search and replace for seveal types of encoding in order to make it easier to understand what the attacker was doing. This can also help in keyword searching in case the word you were searching for was encoded it obviously would not be found in its encoded form.

The following is an example of a real encoded IIS weblog entry:
pageid=830%20And%20(Select%20Top%201%20char(124)%2Bname%2Bchar(124)%20From%20(Select%20Top%201%20[name]%20From%20[syscolumns]%20where%20(id%20=%20(SELECT%20TOP%201%20id%20FROM%20[sysobjects]%20WHERE%20name%20=%20char(112)%2Bchar(97)%2Bchar(103)%2Bchar(101)%2Bchar(99)%2Bchar(111)%2Bchar(110)%2Bchar(116)%2Bchar(101)%2Bchar(110)%2Bchar(116)%2Bchar(115)))%20Order%20by%20[name])%20T%20Order%20by%20[name]%20desc)>0%20--

The decoded entry looks like this:
pageid=830 And (Select Top 1 +name+ From (Select Top 1 [name] From [syscolumns] where (id = (SELECT TOP 1 id FROM [sysobjects] WHERE name = p+a+g+e+c+o+n+t+e+n+t+s)) Order by [name]) T Order by [name] desc)>0 --

To use within EnCase, select (blue check) the IIS log and then run the EnScript, check the console for results.

Download Here
(tested in v6.5)