I recently posted an EnScript to provide the hash value of selected text within EnCase.
This is an update to that EnScript and it provides the MD5 hash, SHA1_base16 (hex) hash and SHA1_base32 hash values for those that do limewire type investigations.
Download here
I was doing some testing and needed to hash just a portion of some files, not their entire contents. So I decided to write a quick EnScript to hash just the selected characters from within a file.
To use this EnScript, simply select whatever characters you want to include in your hash results and run the EnScript.
The EnScript will automatically determine which file you have text selected in and the number of bytes. The EnScript will calculate a MD5 and a SHA1 hash of the selected text:
Download here
XOR is a common and simple symmetric encryption algorithm. It is commonly used by malware to 'hide' certain identifiable information in a data file or executable. It is a very simple algorithm, so there is very little processing power needed to quickly encrypt or decrypt data, making it a popular technique.
Some software vendors also use it to 'obfuscate' data. Norton Antivirus uses it to store identified malware files in the quarantine folder. When Norton AV detects a virus, it will XOR the virus with a constant key and then place it in the quarantine folder. I had previously written an EnScript to extract files from the quarantine folder in Norton version 7.5 so they could be examined in their native form. Norton also stores its logs encrypted using XOR (most versions). I wrote this EnScript specifically so I could quickly decrypt Norton logs within EnCase when doing an investigation so I could see what kind of virus activity had recently taken place, but then I quickly found other uses for the EnScript.
The EnScript allows you to simply highlight (highlight, not check) a file in the table pane (upper right) of EnCase and then supply a hex value as the XOR key.
You can have the resulting XOR data displayed in the console, or if dealing with binary data, such as with a malware executable, you can have the data written to a local file that you can then examine with some other 3rd party tool.
Download here (EnCase v6)
Posts
All Comments
ShareThis
