├── Add to .hash file.EnPack ├── Base64 Bookmark.EnPack ├── Bookmark files based on MD5 hash v7.EnPack ├── Bookmark_MFT_record_of_highlighted_file.EnPack ├── Calculate Entropy of selected file(s).EnPack ├── Carve RecentFilecache.bcf from selected file(s)_v7.EnPack ├── Catagorize all files by extension and count.EnPack ├── Categorize by specified extentions and count.EnPack ├── Check hash to VirusTotal_v8.EnScript ├── Check tagged files to VT.EnPack ├── Check tagged files to VirusTotal_v8.EnScript ├── Compare Physical Device to logical partition and look for unused space with data.EnPack ├── Compare files to hash set(s) & export only unkown files.EnPack ├── Computer Forensic lifecycle.pdf ├── Convert OSX .emlx mail to MBOX.EnPack ├── Count Unique Email Domains.EnPack ├── Create App Descriptors from selected procceses in Snapshot data.EnPack ├── Create EnCase v7 hash set from text file.EnPack ├── Create text file with name, size, md5 hash from selected files v7.EnPack ├── DHCP & IP Information.EnPack ├── Decode logs (chr, char, %).EnPack ├── Detect Slacker.EnPack ├── Detect Unicode & High ASCII Filenames.EnPack ├── Display the number of search hits per file.EnPack ├── ED2K EnScript.zip ├── EnCase_Enterprise_Find_Files_by_Hash_EnCase_v7_v1.0.EnPack ├── Encrypted Yahoo chat keyword search v1.0.EnPack ├── Encrypted Yahoo chat keyword search v1.1.EnPack ├── Export .spak hashes to text file for import.EnPack ├── Export Icons from Executables.EnPack ├── Export Internet History hits in selected file(s).backup.EnPack ├── Export MFT Slack.EnPack ├── Export Search Hits.EnScript ├── Export Selected Files and maintain path and timestamp.EnPack ├── Export based on condition - maintain original path.EnPack ├── Export by Extension_v7.EnPack ├── Export by extension.EnPack ├── Export by extension_Maintain_TimeStamps.EnPack ├── Export by extension_Maintain_TimeStamps_Maintain_Original_Path.EnPack ├── Export checked files by contigous clusters - DVR.EnScript ├── Export files based on Condition and maintain original path and timestamps.EnPack ├── Export files based on condition.EnPack ├── Export files with selected search hits.EnPack ├── Export files with sequential prefix.EnScript ├── Export x Number of bytes around selected search hits - categorized by keyword hit, one file per keyword.EnPack ├── Export x Number of bytes around selected search hits - categorized by keyword hit.EnPack ├── Export x Number of bytes around selected search hits_With HASH_DEC04.EnPack ├── Export x Number of bytes around selected search hits_one hit per file_catagorized by keyword.EnPack ├── Export x number of bytes around selected search hit with HTML report.EnPack ├── Export x number of bytes around selected search hit.EnPack ├── Export_Internet_History_hits_in_selected_file(s).EnPack ├── Extract MFT records from Memory Dump v1.EnPack ├── Extract Thumbnails from Movies v 2.0.EnPack ├── F-Response_COM.EnScript ├── F-Response_POC.EnPack ├── File Permissions Summary (psgetsid).EnPack ├── File Signature Search in Unallocated.EnPack ├── Find & Parse Prefetch files in unallocated_v6.EnPack ├── Find Cryptolocker encrypted filesv6&v7.EnPack ├── Find and Parse prefetch files in Unallocated_v7.EnPack ├── Find duplicates.EnPack ├── GSI_BookmarkExporterLib.EnScript ├── Generate SHA1_Base16 & SHA1_Base32 for selected files.EnPack ├── Get MFT Records in Unallocated v6.EnPack ├── Get Standard Information Attribute Dates and FileName Attribute Dates.EnPack ├── Hash selected text.EnPack ├── Hash selected text_MD5_SHA1Base16_SHA1Base32.EnPack ├── Import Hashes from Text File - One hash per line.EnScript ├── Import Hashes from Text File.EnPack ├── Keyword Harvester.EnPack ├── Keyword search with exclusion list.EnPack ├── LNK Files for MAC Address.EnPack ├── Limewire Search & Bookmark.EnPack ├── List filetypes by extension_with_size_v7.EnScript ├── List filetypes by extensions.EnScript ├── Luhn Credit Card Validation.EnScript ├── Maine State Police Movie Carver.EnPack ├── Make LEF based on extension and High ASCII filenames.EnPack ├── Make LEF from condition.EnPack ├── Make Thumbnails of selected video files.EnPack ├── Merge two hash sets.EnPack ├── Office Metadata.EnPack ├── Office Metadata_Includes_Office_2007.EnPack ├── Output to DD file.EnPack ├── Output to DD image file and redact selected files.EnPack ├── Parse Event Logs from unallocated.EnPack ├── Parse Link Files to EXCEL Spreadsheet with UNIX dates for sorting.EnPack ├── Parse PST Email Metadata to Excel Spreadsheet.EnPack ├── Parse RecentFileCache.bcf and bookmark files.EnPack ├── Parse RecentFileCache.bcf and bookmark files_v7.EnPack ├── Parse TIFF for MetaData.EnPack ├── Parse USNJRNL.EnPack ├── Parse USNJRNL_v7.EnPack ├── Parse USNJRNLv1.1.EnPack ├── Parse USNJRNLv1.2_Export_CSV.EnPack ├── Parse WIFI Profiles.EnPack ├── Parse Wireless Access Points Win7.EnPack ├── Parse Wireless Access Points Win7.EnScript ├── Parse Wireless Access Points in Vista_Win7_Win8_EnCaseV7.EnPack ├── Parse each NTUSER.DAT for RecentDocs to EXCEL_v6.EnPack ├── Parse recent RDP sessions from NTUSER.DAT files.EnPack ├── Parse selected Executable for String Resources.EnPack ├── Parse setupapi.dev.log for USB info_v7.EnPack ├── Parse setupapidev.log for USB info.EnPack ├── Quickly Calculate MD5, SHA1 and entropy of selected files_v7.EnPack ├── README.md ├── Read Windows 7 Recycle Bin $I Files.EnScript ├── Registry Last Written Timestamp bookmark.EnPack ├── Repair corrupted event logs.EnPack ├── Restore Point Information from Change.log.EnPack ├── Restore Point Information from rp.log.EnPack ├── SafeBoot Info v1.3.EnPack ├── Search & Parse 'nk' Reg keys.EnPack ├── Search & Parse 'vk' Reg keys.EnPack ├── Search for win32 TIMESTAMP.EnPack ├── Search in ROT13 & XOR.EnPack ├── Search_keyword_and_parse_till_double_CRLF.EnPack ├── Send data to Splunk.EnPack ├── Send data to Splunk_v6.EnPack ├── Seperate_FTP_sessions.EnPack ├── Service Pack and Patch Information.EnPack ├── Show only path of folders containing only certain files, count and size.EnPack ├── Skype Chatsync IP addresses.EnPack ├── Triage Media.EnPack ├── Tutorial IV.EnScript ├── USB Device History - System Volume Information - Selected Only.EnPack ├── USB Device History - System Volume Information.EnPack ├── USB Device History v0.5 122707.EnPack ├── USB Device History v0.5 122707.EnScript ├── USB Device History v0.5 records.EnScript ├── USB Device History.EnPack ├── USB Information_Windows 7.EnPack ├── USB v0.4 Device History.EnPack ├── USB2 Device History.EnScript ├── Unique domains from Records-Internet History.EnPack ├── User Groups from SAM_v6.EnPack ├── User Profile Summary by File Extension in EXCEL.EnPack ├── Verify LEF Collection (v2.1).EnPack ├── VirusTotal Bookmark_v6.EnPack ├── Vista Firewall Settings.EnPack ├── Vista VSS Info (draft).EnScript ├── Wireless SSID.EnPack ├── Wireless SSID.EnScript ├── XOR a file or selection.EnPack ├── XOR all 255 possibilities of Selected file to Export folder.EnPack ├── Yahoo Decoder in unallocated.EnPack ├── Yahoo Search for XOR strings.EnScript ├── bookmark_files_based_on_name.EnPack ├── encase_v7 └── compiled │ ├── EnCase_Enterprise_Find_Files_by_Hash_EnCase_v7_v1.0.EnPack │ ├── Export based on condition - maintain original path.EnPack │ ├── Export by Extension_v7.EnPack │ └── Parse WIFI Profiles.EnPack ├── evidence └── README.md ├── supporting_files ├── .gitkeep └── VT_Bookmark.zip ├── v5 Norton Quarantined Files.EnPack └── v5ObfuscatedRegistry-RecentApplications-ROT13.EnPack /Add to .hash file.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Add to .hash file.EnPack -------------------------------------------------------------------------------- /Base64 Bookmark.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Base64 Bookmark.EnPack -------------------------------------------------------------------------------- /Bookmark files based on MD5 hash v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Bookmark files based on MD5 hash v7.EnPack -------------------------------------------------------------------------------- /Bookmark_MFT_record_of_highlighted_file.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Bookmark_MFT_record_of_highlighted_file.EnPack -------------------------------------------------------------------------------- /Calculate Entropy of selected file(s).EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Calculate Entropy of selected file(s).EnPack -------------------------------------------------------------------------------- /Carve RecentFilecache.bcf from selected file(s)_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Carve RecentFilecache.bcf from selected file(s)_v7.EnPack -------------------------------------------------------------------------------- /Catagorize all files by extension and count.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Catagorize all files by extension and count.EnPack -------------------------------------------------------------------------------- /Categorize by specified extentions and count.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Categorize by specified extentions and count.EnPack -------------------------------------------------------------------------------- /Check hash to VirusTotal_v8.EnScript: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | Author: 5 | 6 | Lance Mueller 7 | Website: www.forensickb.com 8 | Twitter: @lancemueller 9 | 10 | Usage: 11 | 12 | This EnScript will generate a hash value for all executables & DLLs, based on file signature analysis 13 | and submits the hash values to VirusTotal (VT) for analysis. No file content is ever sent. 14 | 15 | Any hash values with a VT score greater than zero are bookmarked. Duplicate hash values are ignored and only unique values are submitted to VT. 16 | 17 | This EnScript will work with a public or private VT API key. For public API keys, VT limits the number of 18 | queries to four per minute. This EnScript will automatically sleep for one minute once that limit is reached and then continue processing. 19 | 20 | Keep in mind 5,000 unique executables/DLLs can take 24 hours to process using a public VT API key (four per minute). 21 | 22 | License: 23 | 24 | Copyright (c) 2017 Lance Mueller 25 | 26 | Permission is hereby granted, free of charge, to any person obtaining a copy 27 | of this software and associated documentation files (the "Software"), to deal 28 | in the Software without restriction, including without limitation the rights 29 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 30 | copies of the Software, and to permit persons to whom the Software is 31 | furnished to do so, subject to the following conditions: 32 | 33 | The above copyright notice and this permission notice shall be included in all 34 | copies or substantial portions of the Software. 35 | 36 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 37 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 38 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 39 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 40 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 41 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 42 | SOFTWARE. 43 | 44 | */ 45 | 46 | class InputDialogClass: DialogClass { 47 | 48 | PathEditClass OpenFile, Exe; 49 | StringEditClass TextAreaEdit; 50 | InputDialogClass(DialogClass parent, String &apikey): 51 | DialogClass(parent, "Check executable files to VirusTotal"), 52 | TextAreaEdit(this, "VirusTotal API Key (public or private):", SAME, NEXT, 300, 8, 0, apikey, 72, REQUIRED) 53 | { 54 | } 55 | 56 | } 57 | 58 | class MainClass { 59 | NameValueClass list; 60 | String address; 61 | uint port, options; 62 | String relativeUrl, api; 63 | BookmarkClass folder; 64 | MainClass (): 65 | list(), 66 | address = "www.virustotal.com", 67 | port = SocketClass::HTTPSPORT, 68 | options = WebClientClass::SSL | WebClientClass::VALIDATESERVERCERT; 69 | relativeUrl = "/vtapi/v2/file/report" 70 | 71 | { 72 | } 73 | 74 | void Main(CaseClass c) { 75 | 76 | SystemClass::ClearConsole(1); 77 | InputDialogClass diag(null, api); 78 | StoreUpdate(0, api); 79 | if (diag.Execute() == SystemClass::OK) { 80 | StoreUpdate(StorageClass::WRITE, api); 81 | DateClass start.Now(); 82 | Console.WriteLine("Starting: " + start.GetString()); 83 | folder = new BookmarkClass(c.BookmarkRoot(), "VirusTotal Results", NodeClass::FOLDER); 84 | 85 | WebClientClass client(); 86 | WebServiceClass::RequestClass request(); 87 | request.Command = WebServiceClass::RequestClass::GET; 88 | 89 | ProcessHashValues(c); 90 | Calculate(client, request, c); 91 | 92 | DateClass end.Now(); 93 | Console.WriteLine("Finishing: " + end.GetString()); 94 | uint mins = (end.GetUnix() - start.GetUnix()) / 60; 95 | Console.WriteLine("Total Mins: " + mins); 96 | } 97 | 98 | } 99 | 100 | void Bookmark(CaseClass &c, String &desc, String path){ 101 | ItemIteratorClass iter (c, ItemIteratorClass::NORECURSE, ItemIteratorClass::ALL, NOPROXY); 102 | EntryClass root = iter.GetNextEntry(); 103 | uint len = c.Name().GetLength(); 104 | path = path.SubString(len+1, -1); 105 | len = path.Find("\\"); 106 | path = path.SubString(len+1, -1); 107 | EntryClass entry = root.Find(path); 108 | if (entry){ 109 | BookmarkItemClass bic(folder, entry.Name(), 0); 110 | bic.CopyItemData(entry); 111 | bic.SetComment(desc); 112 | } 113 | else { 114 | Console.WriteLine("Could not find " + path); 115 | } 116 | } 117 | 118 | void ProcessHashValues(CaseClass &c){ 119 | ItemIteratorClass iter (c, ItemIteratorClass::NORECURSE, ItemIteratorClass::ALL); 120 | while (EntryClass entry = iter.GetNextEntry()) { 121 | String fileType = entry.Signature(); 122 | if (fileType.Contains("executable") || fileType.Contains("Dynamic Link Library")){ 123 | if (entry.HashValue()) { 124 | NameValueClass n = list.Find(entry.HashValue()); 125 | if (!n) { 126 | NameValueClass key(list, entry.HashValue()); 127 | key.SetValue(entry.TruePath()); 128 | } 129 | else { 130 | Console.WriteLine("Duplicate hash value ignored for file: " + entry.TruePath()); 131 | } 132 | } 133 | } 134 | } 135 | } 136 | 137 | void Calculate(WebClientClass &client, WebServiceClass::RequestClass &request, CaseClass &c){ 138 | 139 | uint total = list.Count(); 140 | Console.WriteLine("Sending: " + total + " to VirusTotal"); 141 | uint counter; 142 | String md5; 143 | 144 | forall (NameValueClass l in list){ 145 | md5 = l.Name(); 146 | if (md5 != ""){ 147 | do { 148 | int reply = RequestVT(md5, client, request, c); 149 | } while (reply == 204); 150 | } 151 | } 152 | } 153 | 154 | int RequestVT(String &md5, WebClientClass &client, WebServiceClass::RequestClass &request, CaseClass &c){ 155 | NameVariantClass root(); 156 | WebServiceClass::ReplyClass reply(); 157 | if (client.Open(address, port, options)) { 158 | 159 | request.URL = relativeUrl + "?apikey=" + api + "&resource=" + md5; 160 | if (!client.Command(request, reply)){ 161 | Console.WriteLine("Command could not be sent to the server: " + reply.Code); 162 | } 163 | else if (reply.Code == 200){ 164 | if (reply.File && reply.File.IsOpen()) { 165 | String line; 166 | reply.File.SetCodePage(CodePageClass::ANSI); 167 | while (reply.File.More()) { 168 | if(root.ReadJSON(reply.File)){ 169 | forall(NameVariantClass l in root){ 170 | if (l.Name() == "response_code") 171 | if (l.Value){ 172 | NameVariantClass p = l.Parent().Find("positives"); 173 | if ( uint::Convert(p.Value, int::DECIMAL) > 0){ 174 | NameVariantClass h = l.Parent().Find("resource"); 175 | NameVariantClass scans = l.Parent().Find("scans"); 176 | String malwarenames; 177 | forall (NameVariantClass s in scans){ 178 | if (s.Name() == "result"){ 179 | if (s.Value) { 180 | malwarenames+= s.Parent().Name() + "_" + s.Value + "|"; 181 | } 182 | } 183 | } 184 | malwarenames.Trim("|", TRIMEND); 185 | NameValueClass val = list.Find(h.Value); 186 | String desc = p.Value + " - " + malwarenames; 187 | Bookmark (c, desc, val.Value()); 188 | Console.WriteLine(p.Value + "\t" + malwarenames + "\t" + val.Value()); 189 | } 190 | } 191 | } 192 | } 193 | } 194 | } 195 | } 196 | else if (reply.Code == 204) { 197 | SystemClass::Sleep(60000); 198 | } 199 | else { 200 | Console.WriteLine("Could not complete request. Result Code: " + reply.Code); 201 | } 202 | } 203 | return reply.Code; 204 | } 205 | 206 | void StoreUpdate(uint props, String &apikey){ 207 | StorageClass storage("Check files to VT", props); 208 | storage.Value("api", apikey); 209 | } 210 | } 211 | -------------------------------------------------------------------------------- /Check tagged files to VT.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Check tagged files to VT.EnPack -------------------------------------------------------------------------------- /Check tagged files to VirusTotal_v8.EnScript: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | Author: 5 | 6 | Lance Mueller 7 | Website: www.forensickb.com 8 | Twitter: @lancemueller 9 | 10 | Usage: 11 | 12 | This EnScript will generate hash values for all tagged files and send the hash value to VirusTotal for scoring. 13 | 14 | No file content is ever sent. 15 | 16 | Any files with a VT score greater than zero are bookmarked. 17 | 18 | This EnScript will work with a public or private VT API key. For public API keys, VT limits the number of 19 | queries to four per minute. This EnScript will automatically sleep for one minute once that limit is reached and then continue processing. 20 | 21 | License: 22 | 23 | Copyright (c) 2017 Lance Mueller 24 | 25 | Permission is hereby granted, free of charge, to any person obtaining a copy 26 | of this software and associated documentation files (the "Software"), to deal 27 | in the Software without restriction, including without limitation the rights 28 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 29 | copies of the Software, and to permit persons to whom the Software is 30 | furnished to do so, subject to the following conditions: 31 | 32 | The above copyright notice and this permission notice shall be included in all 33 | copies or substantial portions of the Software. 34 | 35 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 36 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 37 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 38 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 39 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 40 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 41 | SOFTWARE. 42 | 43 | */ 44 | 45 | class InputDialogClass: DialogClass { 46 | StringEditClass TextAreaEdit; 47 | InputDialogClass(DialogClass parent, String &apikey): 48 | DialogClass(parent, "Check tagged files to VirusTotal"), 49 | TextAreaEdit(this, "VirusTotal API Key (public or private):", SAME, NEXT, 300, 8, 0, apikey, 72, REQUIRED) 50 | { 51 | } 52 | } 53 | 54 | class MainClass { 55 | NameValueClass list; 56 | String address; 57 | uint port, options; 58 | String relativeUrl, api; 59 | BookmarkClass folder; 60 | MainClass (): 61 | list(), 62 | address = "www.virustotal.com", 63 | port = SocketClass::HTTPSPORT, 64 | options = WebClientClass::SSL | WebClientClass::VALIDATESERVERCERT; 65 | relativeUrl = "/vtapi/v2/file/report" 66 | 67 | { 68 | } 69 | 70 | void Main(CaseClass c) { 71 | SystemClass::ClearConsole(1); 72 | InputDialogClass diag(null, api); 73 | StoreUpdate(0, api); 74 | if (diag.Execute() == SystemClass::OK) { 75 | StoreUpdate(StorageClass::WRITE, api); 76 | DateClass start.Now(); 77 | Console.WriteLine("Starting: " + start.GetString()); 78 | folder = new BookmarkClass(c.BookmarkRoot(), "VirusTotal Tagged File Results", NodeClass::FOLDER); 79 | 80 | WebClientClass client(); 81 | WebServiceClass::RequestClass request(); 82 | request.Command = WebServiceClass::RequestClass::GET; 83 | 84 | ProcessHashValues(c); 85 | Calculate(client, request, c); 86 | 87 | DateClass end.Now(); 88 | Console.WriteLine("Finishing: " + end.GetString()); 89 | uint mins = (end.GetUnix() - start.GetUnix()) / 60; 90 | Console.WriteLine("Total Mins: " + mins); 91 | } 92 | } 93 | 94 | void Bookmark(CaseClass &c, String &desc, String path){ 95 | ItemIteratorClass iter (c, ItemIteratorClass::NORECURSE, ItemIteratorClass::ALL, NOPROXY); 96 | EntryClass root = iter.GetNextEntry(); 97 | uint len = c.Name().GetLength(); 98 | path = path.SubString(len+1, -1); 99 | len = path.Find("\\"); 100 | path = path.SubString(len+1, -1); 101 | EntryClass entry = root.Find(path); 102 | if (entry){ 103 | BookmarkItemClass bic(folder, entry.Name(), 0); 104 | bic.CopyItemData(entry); 105 | bic.SetComment(desc); 106 | } 107 | else { 108 | Console.WriteLine("Could not find " + path); 109 | } 110 | } 111 | 112 | void ProcessHashValues(CaseClass &c){ 113 | for (ItemIteratorClass iter (c, ItemIteratorClass::NORECURSE, ItemIteratorClass::ALL); EntryClass entry = iter.GetNextEntry();) { 114 | if (entry.Tags().Contains("Check VT")){ 115 | if (entry.HashValue()) { 116 | NameValueClass key(list, entry.HashValue()); 117 | key.SetValue(entry.TruePath()); 118 | } 119 | } 120 | } 121 | } 122 | 123 | void Calculate(WebClientClass &client, WebServiceClass::RequestClass &request, CaseClass &c){ 124 | uint total = list.Count(); 125 | Console.WriteLine("Sending: " + total + " hash values to VirusTotal"); 126 | String md5; 127 | forall (NameValueClass l in list){ 128 | md5 = l.Name(); 129 | if (md5 != ""){ 130 | do { 131 | int reply = RequestVT(md5, client, request, c); 132 | } while (reply == 204); 133 | } 134 | else { 135 | Console.WriteLine("Hash value empty!"); 136 | } 137 | } 138 | } 139 | 140 | int RequestVT(String &md5, WebClientClass &client, WebServiceClass::RequestClass &request, CaseClass &c){ 141 | NameVariantClass root(); 142 | WebServiceClass::ReplyClass reply(); 143 | if (client.Open(address, port, options)) { 144 | request.URL = relativeUrl + "?apikey=" + api + "&resource=" + md5; 145 | if (!client.Command(request, reply)){ 146 | Console.WriteLine("Command could not be sent to the server: " + reply.Code); 147 | } 148 | else if (reply.Code == 200){ 149 | if (reply.File && reply.File.IsOpen()) { 150 | String line; 151 | reply.File.SetCodePage(CodePageClass::ANSI); 152 | while (reply.File.More()) { 153 | if(root.ReadJSON(reply.File)){ 154 | forall(NameVariantClass l in root){ 155 | if (l.Name() == "response_code") 156 | if (l.Value){ 157 | NameVariantClass p = l.Parent().Find("positives"); 158 | Console.WriteLine("Hash: " + md5 + ", Score: " + uint::Convert(p.Value, int::DECIMAL)); 159 | if (uint::Convert(p.Value, int::DECIMAL) > 0){ 160 | NameVariantClass h = l.Parent().Find("resource"); 161 | NameVariantClass scans = l.Parent().Find("scans"); 162 | String malwarenames; 163 | forall (NameVariantClass s in scans){ 164 | if (s.Name() == "result"){ 165 | if (s.Value) { 166 | malwarenames+= s.Parent().Name() + "_" + s.Value + "|"; 167 | } 168 | } 169 | } 170 | malwarenames.Trim("|", TRIMEND); 171 | NameValueClass val = list.Find(h.Value); 172 | String desc = "Score: " + p.Value + " - " + malwarenames; 173 | Bookmark (c, desc, val.Value()); 174 | } 175 | } 176 | else { 177 | Console.WriteLine("Hash: " + md5 + ", Score: VT - Unknown Hash value"); 178 | } 179 | } 180 | } 181 | } 182 | } 183 | } 184 | else if (reply.Code == 204) { 185 | SystemClass::Sleep(60000); 186 | } 187 | else { 188 | Console.WriteLine("Could not complete request. Result Code: " + reply.Code); 189 | } 190 | } 191 | return reply.Code; 192 | } 193 | 194 | void StoreUpdate(uint props, String &apikey){ 195 | StorageClass storage("Check tagged files to VT", props); 196 | storage.Value("api", apikey); 197 | } 198 | } 199 | -------------------------------------------------------------------------------- /Compare Physical Device to logical partition and look for unused space with data.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Compare Physical Device to logical partition and look for unused space with data.EnPack -------------------------------------------------------------------------------- /Compare files to hash set(s) & export only unkown files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Compare files to hash set(s) & export only unkown files.EnPack -------------------------------------------------------------------------------- /Computer Forensic lifecycle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Computer Forensic lifecycle.pdf -------------------------------------------------------------------------------- /Convert OSX .emlx mail to MBOX.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Convert OSX .emlx mail to MBOX.EnPack -------------------------------------------------------------------------------- /Count Unique Email Domains.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Count Unique Email Domains.EnPack -------------------------------------------------------------------------------- /Create App Descriptors from selected procceses in Snapshot data.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Create App Descriptors from selected procceses in Snapshot data.EnPack -------------------------------------------------------------------------------- /Create EnCase v7 hash set from text file.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Create EnCase v7 hash set from text file.EnPack -------------------------------------------------------------------------------- /Create text file with name, size, md5 hash from selected files v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Create text file with name, size, md5 hash from selected files v7.EnPack -------------------------------------------------------------------------------- /DHCP & IP Information.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/DHCP & IP Information.EnPack -------------------------------------------------------------------------------- /Decode logs (chr, char, %).EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Decode logs (chr, char, %).EnPack -------------------------------------------------------------------------------- /Detect Slacker.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Detect Slacker.EnPack -------------------------------------------------------------------------------- /Detect Unicode & High ASCII Filenames.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Detect Unicode & High ASCII Filenames.EnPack -------------------------------------------------------------------------------- /Display the number of search hits per file.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Display the number of search hits per file.EnPack -------------------------------------------------------------------------------- /ED2K EnScript.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/ED2K EnScript.zip -------------------------------------------------------------------------------- /EnCase_Enterprise_Find_Files_by_Hash_EnCase_v7_v1.0.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/EnCase_Enterprise_Find_Files_by_Hash_EnCase_v7_v1.0.EnPack -------------------------------------------------------------------------------- /Encrypted Yahoo chat keyword search v1.0.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Encrypted Yahoo chat keyword search v1.0.EnPack -------------------------------------------------------------------------------- /Encrypted Yahoo chat keyword search v1.1.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Encrypted Yahoo chat keyword search v1.1.EnPack -------------------------------------------------------------------------------- /Export .spak hashes to text file for import.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export .spak hashes to text file for import.EnPack -------------------------------------------------------------------------------- /Export Icons from Executables.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export Icons from Executables.EnPack -------------------------------------------------------------------------------- /Export Internet History hits in selected file(s).backup.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export Internet History hits in selected file(s).backup.EnPack -------------------------------------------------------------------------------- /Export MFT Slack.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export MFT Slack.EnPack -------------------------------------------------------------------------------- /Export Search Hits.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance @ forensickb.com 3 | May 27, 2008 4 | EnCase 6.10 5 | 6 | Select the Search hits you wanted exported from the text file and then look in 7 | your case default export folder for a file named "searchhits.txt" 8 | 9 | 10 | */ 11 | 12 | 13 | class MainClass { 14 | void Main(CaseClass c) { 15 | EntryFileClass file(); 16 | LocalFileClass local(); 17 | 18 | SearchHitClass hit = c.SearchHitRoot(); 19 | local.Open(c.ExportFolder() + "\\" + "searchhits.txt", FileClass::WRITE); 20 | local.SetCodePage(0); 21 | forall (SearchHitClass h in hit){ 22 | if (h.IsSelected() && h.GetEntry()){ 23 | file.Open(h.GetEntry()); 24 | file.SetCodePage(0); 25 | file.Seek(h.FileOffset()); 26 | FindBeginning (file); 27 | String line; 28 | file.ReadString(line, -1, "\r"); 29 | local.Write(line+"\r\n"); 30 | } 31 | } 32 | } 33 | 34 | void FindBeginning (FileClass &file){ 35 | bool begin; 36 | while (begin == false){ 37 | file.Skip(-1); 38 | uint temp = file.Get(); 39 | if (temp == 0x0a) 40 | begin = true; 41 | else { 42 | file.Skip(-1); 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /Export Selected Files and maintain path and timestamp.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export Selected Files and maintain path and timestamp.EnPack -------------------------------------------------------------------------------- /Export based on condition - maintain original path.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export based on condition - maintain original path.EnPack -------------------------------------------------------------------------------- /Export by Extension_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export by Extension_v7.EnPack -------------------------------------------------------------------------------- /Export by extension.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export by extension.EnPack -------------------------------------------------------------------------------- /Export by extension_Maintain_TimeStamps.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export by extension_Maintain_TimeStamps.EnPack -------------------------------------------------------------------------------- /Export by extension_Maintain_TimeStamps_Maintain_Original_Path.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export by extension_Maintain_TimeStamps_Maintain_Original_Path.EnPack -------------------------------------------------------------------------------- /Export checked files by contigous clusters - DVR.EnScript: -------------------------------------------------------------------------------- 1 | class MainClass { 2 | void Main(CaseClass c) { 3 | if (c){ 4 | String export = c.ExportFolder() + "\\Files Exported based on sequential clusters and file size\\"; 5 | if (LocalMachine.CreateFolder(export)){ 6 | forall(EntryClass entry in c.EntryRoot()){ 7 | if (entry.IsSelected()){ 8 | DeviceClass dev = entry.GetDevice(); 9 | EntryFileClass file(); 10 | LocalFileClass local(); 11 | file.Open(dev); 12 | file.Seek(entry.PhysicalLocation()); 13 | if (local.Open(export + entry.Name(), FileClass::WRITE)){ 14 | local.WriteBuffer(file, entry.LogicalSize()); 15 | local.Close(); 16 | } 17 | else 18 | SystemClass::Message(16,"Error", "Could not create output file, check your case default export folder path and try again"); 19 | } 20 | } 21 | } 22 | else 23 | SystemClass::Message(16,"Error", "Could not create output folder, check your case default export folder path and try again"); 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Export files based on Condition and maintain original path and timestamps.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export files based on Condition and maintain original path and timestamps.EnPack -------------------------------------------------------------------------------- /Export files based on condition.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export files based on condition.EnPack -------------------------------------------------------------------------------- /Export files with selected search hits.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export files with selected search hits.EnPack -------------------------------------------------------------------------------- /Export files with sequential prefix.EnScript: -------------------------------------------------------------------------------- 1 | class MainClass { 2 | void Main(CaseClass c) { 3 | //Declare variables 4 | EntryFileClass file(); 5 | LocalFileClass local(), log(); 6 | uint mastercounter; 7 | ConnectionClass conn = LocalMachine; 8 | DateClass date; 9 | 10 | // Get current date & time 11 | date.Now(); 12 | String datestring = date.GetString(); 13 | 14 | // Replace illegal filename characters that are in date & time string 15 | datestring.Replace("/","-"); 16 | datestring.Replace(":","_"); 17 | 18 | //Create a unique export folder with the currect date & time as part of the folder name to avoid overwriting previous exports. 19 | conn.CreateFolder(c.ExportFolder() + "\\Exported Files " + datestring); 20 | 21 | // Create export log 22 | if (log.Open(c.ExportFolder() + "\\Exported Files " + datestring + "\\log.csv", FileClass::WRITE)){ 23 | log.WriteLine("Full_Path,Export_Name,Extension,Created_Date,Last_Written,Last_Accessed,Logical_Size,Deleted"); 24 | //Recurse through all entries in case 25 | forall (EntryClass entry in c.EntryRoot()){ 26 | 27 | // Check to see if current entry is selected 28 | if (entry.IsSelected()){ 29 | file.Open(entry); 30 | mastercounter++; 31 | if (local.Open(c.ExportFolder() + "\\Exported Files " + datestring + "\\" + mastercounter + " - " + entry.Name(), FileClass::WRITE)){ 32 | local.WriteBuffer(file); 33 | String isdeleted; 34 | if (entry.IsDeleted()) 35 | isdeleted = "Yes"; 36 | else 37 | isdeleted = "No"; 38 | 39 | log.WriteLine(entry.FullPath() + "," + mastercounter + " - " + entry.Name() + "," + entry.Extension() + "," + entry.Created().GetString() + "," + entry.Written().GetString() + "," + entry.Accessed().GetString() + "," + entry.LogicalSize() + "," + isdeleted + ","); 40 | } 41 | else 42 | SystemClass::Message(16, "Error!", "Error opening export file"); 43 | } 44 | } 45 | } 46 | else 47 | SystemClass::Message(16, "Error!", "Error opening log file"); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /Export x Number of bytes around selected search hits - categorized by keyword hit, one file per keyword.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export x Number of bytes around selected search hits - categorized by keyword hit, one file per keyword.EnPack -------------------------------------------------------------------------------- /Export x Number of bytes around selected search hits - categorized by keyword hit.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export x Number of bytes around selected search hits - categorized by keyword hit.EnPack -------------------------------------------------------------------------------- /Export x Number of bytes around selected search hits_With HASH_DEC04.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export x Number of bytes around selected search hits_With HASH_DEC04.EnPack -------------------------------------------------------------------------------- /Export x Number of bytes around selected search hits_one hit per file_catagorized by keyword.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export x Number of bytes around selected search hits_one hit per file_catagorized by keyword.EnPack -------------------------------------------------------------------------------- /Export x number of bytes around selected search hit with HTML report.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export x number of bytes around selected search hit with HTML report.EnPack -------------------------------------------------------------------------------- /Export x number of bytes around selected search hit.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export x number of bytes around selected search hit.EnPack -------------------------------------------------------------------------------- /Export_Internet_History_hits_in_selected_file(s).EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Export_Internet_History_hits_in_selected_file(s).EnPack -------------------------------------------------------------------------------- /Extract MFT records from Memory Dump v1.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Extract MFT records from Memory Dump v1.EnPack -------------------------------------------------------------------------------- /Extract Thumbnails from Movies v 2.0.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Extract Thumbnails from Movies v 2.0.EnPack -------------------------------------------------------------------------------- /F-Response_COM.EnScript: -------------------------------------------------------------------------------- 1 | typelib FR "FEMCCTRL.FEMC" 2 | 3 | class MyDialog: DialogClass { 4 | 5 | ButtonClass _Help; 6 | StringEditClass _User,_Password, _Domain, _Machines; 7 | String Desc, username, password, machines, domain; 8 | 9 | MyDialog(): 10 | 11 | Desc( "F-Response" 12 | "Last Updated:\t17 July 2012\n" 13 | "Latest Test:\tEnCase 6.18\n\n" 14 | "Lance Mueller\n" 15 | "lance@forensickb.com\n" 16 | "http://www.forensickb.com" 17 | ); 18 | 19 | DialogClass(null, "F-Response"), 20 | _Help(this, "Help", START, START, 20, 10, 0), 21 | _User(this, "Username:", START, NEXT, 200, 10, 0, username, 2000, 0), 22 | _Password(this, "Password:", START, NEXT, 200, 10, 0, password, 2000, 0), 23 | _Domain(this, "Domain (leave blank if workgroup):", START, NEXT, 200, 10, 0, domain, 2000, 0), 24 | _Machines(this, "Targets (one IP or valid hostname per line):", START, NEXT, 200, 90, 0, machines, 2000, 0) 25 | 26 | { 27 | username = "test"; 28 | password = "test"; 29 | machines = "192.168.1.1"; 30 | } 31 | 32 | virtual void ChildEvent(const EventClass &event) { 33 | if (_Help.Matches(event)) 34 | SystemClass::Message(SystemClass::MBOK, "Help", Desc); 35 | DialogClass::ChildEvent(event); 36 | } 37 | 38 | 39 | 40 | } 41 | 42 | class MainClass { 43 | void Main(CaseClass c) { 44 | SystemClass::ClearConsole(1); 45 | FR::FEMC femc; 46 | MyDialog dialogbox(); 47 | if (dialogbox.Execute() == SystemClass::OK){ 48 | if (femc.Create("")){ 49 | NameListClass list(); 50 | FR::ICredentialCollection creds; 51 | creds = femc.Credentials(); 52 | creds.Add(dialogbox.username, dialogbox.domain, dialogbox.password); 53 | FR::IMachineCollection machines; 54 | machines = femc.Machines(); 55 | 56 | dialogbox.machines.Replace(" ",""); 57 | list.Parse(dialogbox.machines, "\n"); 58 | 59 | forall (NameListClass l in list){ 60 | Console.WriteLine("Adding: " + l.Name()); 61 | machines.Add(l.Name()); 62 | } 63 | 64 | foreach (FR::IMachine imachine in machines){ 65 | if (imachine.Status() == 0){ 66 | Console.WriteLine(imachine.MachineNameOrIP() + " is not available"); 67 | } 68 | else { 69 | if (imachine.Status() == 1) 70 | imachine.InstallFResponse(); 71 | SystemClass::Sleep(1000); 72 | if (imachine.Status() == 2) 73 | imachine.StartFResponse(); 74 | SystemClass::Sleep(1000); 75 | FR::ITargetCollection targets; 76 | 77 | targets = imachine.Targets(); 78 | foreach (FR::ITarget target in targets){ 79 | if (target.TargetName().Contains(":disk")){ 80 | Console.WriteLine("F-Response Disk Target detected, " + target.TargetName()); 81 | target.Login(); 82 | Console.WriteLine("Target Disk added as \\PhysicalDrive" +target.PhysicalDiskMapping()); 83 | Process(target.PhysicalDiskMapping(), c); 84 | target.Logout(); 85 | } 86 | } 87 | imachine.StopFResponse(); 88 | imachine.UninstallFResponse(); 89 | Console.WriteLine("Script Completed, F-Response Stopped and Removed"); 90 | } 91 | } 92 | } 93 | } 94 | } 95 | 96 | void Process(String target, CaseClass &c){ 97 | ConnectionClass con = LocalMachine; 98 | DeviceInfoClass devicelist(); 99 | 100 | if (devicelist.Create(con)) { 101 | foreach (DeviceInfoClass di in devicelist) { 102 | if (di.Name() == target){ 103 | DeviceClass d = di.Mount(c, 0); 104 | EntryClass root = d.GetRootEntry(); 105 | forall(EntryClass entry in root){ 106 | if (entry.Name() == "pagefile.sys"){ 107 | Console.WriteLine(entry.FullPath() + " LogicalSize: " + entry.LogicalSize() + " Created Date: " + entry.Created().GetString()); 108 | } 109 | } 110 | } 111 | } 112 | } 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /F-Response_POC.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/F-Response_POC.EnPack -------------------------------------------------------------------------------- /File Permissions Summary (psgetsid).EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/File Permissions Summary (psgetsid).EnPack -------------------------------------------------------------------------------- /File Signature Search in Unallocated.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/File Signature Search in Unallocated.EnPack -------------------------------------------------------------------------------- /Find & Parse Prefetch files in unallocated_v6.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Find & Parse Prefetch files in unallocated_v6.EnPack -------------------------------------------------------------------------------- /Find Cryptolocker encrypted filesv6&v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Find Cryptolocker encrypted filesv6&v7.EnPack -------------------------------------------------------------------------------- /Find and Parse prefetch files in Unallocated_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Find and Parse prefetch files in Unallocated_v7.EnPack -------------------------------------------------------------------------------- /Find duplicates.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Find duplicates.EnPack -------------------------------------------------------------------------------- /GSI_BookmarkExporterLib.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | ////////////////////// Guidance Software Inc. ////////////////////// 3 | 4 | GSI_BookmarkExporterLib.Enscript VERSION 1.0 tested on EnCase V5 5 | 6 | Maintenance History : 7 | =================== 8 | ver 1.0 : 15 March 2005 9 | + port from EnCase V4 10 | 11 | 12 | Notes: 13 | ----- 14 | This script is released by Guidance Software Inc. as part of its 15 | Scripts package shipped with the Encase Software. 16 | 17 | This library contains methods to export bookmark data to an Excel and/or 18 | an HTML file. 19 | 20 | This library is a modification of the "GSI_BookmarkExporterLib" of 21 | Encase V4. 22 | 23 | 24 | Report all bugs and queries to Enscript@GuidanceSoftware.com 25 | 26 | ///////////////////////////////////////////////////////////////////// 27 | */ 28 | include "GSI_ExportTableLib" 29 | include "GSI_LogLib" 30 | include "GSI_ModuleLib" 31 | 32 | //---// 33 | 34 | class BookmarkExporterClass { 35 | NameListClass Fields; 36 | String TableCategory, 37 | Delimiters, 38 | Prefix, 39 | Suffix, 40 | Path; 41 | LogClass Log; 42 | ExportTableClass Table; 43 | bool ShouldExport; 44 | 45 | BookmarkExporterClass(): 46 | Fields(), 47 | Log(), 48 | Table() 49 | { 50 | Log.Name = "Exporter"; 51 | Log.CurPriority = LogClass::INFO; 52 | ShouldExport = true; 53 | TableCategory = "Events"; 54 | Delimiters = "\t\n"; 55 | Prefix = ""; 56 | Suffix = ":"; 57 | ShouldExport = false; 58 | } 59 | 60 | void FormatKeyAndValue(String key, String value, String &app) { 61 | app += key + ":" + Delimiters[0] + value + Delimiters[1]; 62 | } 63 | 64 | void InitializeNewFolder(const String &initialpath) { 65 | Log.Debug("initialpath: " + initialpath); 66 | if (ShouldExport) { 67 | Path = initialpath; 68 | Log.Debug("Creating folder: " + Path); 69 | LocalMachine.CreateFolder(Path); 70 | HostFileClass css(LocalMachine); 71 | if (css.Open(Path + "\\gsi.css", HostFileClass::WRITETEXTCRLF)) { 72 | css.Write("BODY { background-color: white; }\n" 73 | "DIV.intro { margin-left: 1%; max-width: 600px; margin-bottom: 25px; text-align: justify; }\n" 74 | "H1 { text-align: center; font-weight: bold; }\n" 75 | "H2 { text-align: center; font-weight: bold; }\n" 76 | "TABLE { width: 100%; background-color: black; font-size: smaller; text-align: right; }\n" 77 | "TR { background-color: white; }\n" 78 | "TH { text-align: center; }\n"); 79 | } 80 | } 81 | } 82 | 83 | bool CreateTable(const String excelFileName, const String &filename, const String &title) { 84 | String name = NameUtilClass::ReplaceIllegalChar(filename); 85 | return ShouldExport && 86 | Table.CreateHTML(Path + "\\" + name, title, "gsi.css") && 87 | Table.CreateExcel(Path + "\\" + excelFileName, title); 88 | } 89 | 90 | void Write(const String &intro, ModuleBMFolderClass &folder) { 91 | if (ShouldExport && folder) { 92 | Table.BeginIntroduction(); 93 | Table.InsertParagraph(intro); 94 | Table.EndIntroduction(); 95 | if (0 < Fields.Count()) { 96 | Table.BeginTable(TableCategory); 97 | 98 | Table.BeginRow(); 99 | for (NameListClass n = Fields.FirstChild(); n; n++) { 100 | Table.InsertHeading(n.Name()); 101 | } 102 | Table.EndRow(); 103 | Table.ExcelFile.HorizontalFreeze(); 104 | uint i = 0; 105 | for (BookmarkClass bm = folder.BookmarkFolder.FirstChild(); bm; bm++) { 106 | Table.BeginRow(); 107 | NameListClass fieldValues = new NameListClass(); 108 | if (0 < fieldValues.Parse(bm.Comment(), Delimiters, 0)) { 109 | for (NameListClass n = Fields.FirstChild(); n; n++) { 110 | NameListClass tag = fieldValues.Find(Prefix + n.Name() + Suffix); 111 | if (tag && (++tag)) { 112 | Table.InsertCell(tag.Name()); 113 | } 114 | else { 115 | Table.InsertCell(""); 116 | } 117 | } 118 | } 119 | Table.EndRow(); 120 | } 121 | Table.EndTable(); 122 | } 123 | Table.Close(); 124 | } 125 | } 126 | 127 | void Write(const String &intro, LogRecordClass &folder) { 128 | if (ShouldExport && folder) { 129 | Table.BeginIntroduction(); 130 | Table.InsertParagraph(intro); 131 | Table.EndIntroduction(); 132 | if (0 < Fields.Count()) { 133 | Table.BeginTable(TableCategory); 134 | 135 | Table.BeginRow(); 136 | for (NameListClass n = Fields.FirstChild(); n; n++) { 137 | Table.InsertHeading(n.Name()); 138 | } 139 | Table.EndRow(); 140 | Table.ExcelFile.HorizontalFreeze(); 141 | uint i = 0; 142 | for (LogRecordClass bm = folder.FirstChild(); bm; bm++) { 143 | Table.BeginRow(); 144 | NameListClass fieldValues = new NameListClass(); 145 | if (0 < fieldValues.Parse(bm.Comment(), Delimiters, 0)) { 146 | for (NameListClass n = Fields.FirstChild(); n; n++) { 147 | NameListClass tag = fieldValues.Find(Prefix + n.Name() + Suffix); 148 | if (tag && (++tag)) { 149 | Table.InsertCell(tag.Name()); 150 | } 151 | else { 152 | Table.InsertCell(""); 153 | } 154 | } 155 | } 156 | Table.EndRow(); 157 | } 158 | Table.EndTable(); 159 | } 160 | Table.Close(); 161 | } 162 | } 163 | } 164 | -------------------------------------------------------------------------------- /Generate SHA1_Base16 & SHA1_Base32 for selected files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Generate SHA1_Base16 & SHA1_Base32 for selected files.EnPack -------------------------------------------------------------------------------- /Get MFT Records in Unallocated v6.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Get MFT Records in Unallocated v6.EnPack -------------------------------------------------------------------------------- /Get Standard Information Attribute Dates and FileName Attribute Dates.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Get Standard Information Attribute Dates and FileName Attribute Dates.EnPack -------------------------------------------------------------------------------- /Hash selected text.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Hash selected text.EnPack -------------------------------------------------------------------------------- /Hash selected text_MD5_SHA1Base16_SHA1Base32.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Hash selected text_MD5_SHA1Base16_SHA1Base32.EnPack -------------------------------------------------------------------------------- /Import Hashes from Text File - One hash per line.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance.mueller@gmail.com 3 | http://www.forensickb.com 4 | 06/30/07 5 | 6 | This EnScript reads a non-unicode text file with one hash value per line. 7 | example: 8 | 9 | 1fd48b7580e9e9fe8745f215fd5d2bdc 10 | c138b98557fb5ec424f068a4e6c6472b 11 | d796528c9feb65f25a19005a18bad6ac 12 | 13 | */ 14 | 15 | class MyDialog: DialogClass { 16 | 17 | PathEditClass _file1; 18 | String textfile, nameofhashfile, category; 19 | StringEditClass _Edit1, 20 | _Edit2; 21 | MyDialog(): 22 | 23 | DialogClass(null, "Import text file into .hash file"), 24 | _file1(this, "Please select the text file you wish to import",START, NEXT, 250, 12, 0, textfile , WindowClass::FILEOPEN), 25 | _Edit1(this, "Name of .hash file to create: (placed in your default export folder)", START, NEXT, 160, DEFAULT, 0, nameofhashfile, 1000, 0), 26 | _Edit2(this, "Category", START, NEXT, 160, DEFAULT, 0, category, 19, WindowClass::REQUIRED) 27 | 28 | { 29 | category = "Known"; 30 | } 31 | } 32 | 33 | class MainClass { 34 | void Main(CaseClass c) { 35 | LocalFileClass local(), outfile(); 36 | NameListClass temp(), list(); 37 | String line; 38 | SystemClass::ClearConsole(); 39 | uint counter; 40 | 41 | MyDialog dialogbox(); 42 | if (dialogbox.Execute() == SystemClass::OK){ 43 | if (local.Open(dialogbox.textfile)){ 44 | local.SetCodePage(0); 45 | if (local.Peek() != FileClass::EOF){ 46 | String tmp; 47 | local.ReadString(tmp,2,""); 48 | 49 | 50 | if (tmp == "\xFF\xFE"){ 51 | 52 | local.SetCodePage(CodePageClass::UNICODE); 53 | local.Seek(2); 54 | 55 | } 56 | else { 57 | local.Seek(0); 58 | } 59 | 60 | 61 | } 62 | while (local.Peek() != FileClass::EOF) { 63 | local.ReadString(line, 100, "\r"); 64 | if (line){ 65 | line.Replace("\n",""); 66 | line.Replace("\r",""); 67 | line.Replace("\t",""); 68 | line.Replace(" ",""); 69 | list.Parse(line, ",", 0); 70 | //new NameListClass(list, temp.LastChild().Name()); 71 | } 72 | } 73 | counter = list.Count(); 74 | 75 | if (outfile.Open(c.ExportFolder() + "\\" + dialogbox.nameofhashfile + ".hash", FileClass::WRITE)){ 76 | outfile.SetCodePage(CodePageClass::ANSI); 77 | outfile.Write("HASH\r\n"); 78 | outfile.WriteBinaryInt(0x000200FF, 4); 79 | outfile.WriteBinaryInt(0x00010000, 4); 80 | outfile.WriteBinaryInt(0x0000, 2); 81 | outfile.WriteBinaryInt(counter, 4); 82 | for (int i = 0 ; i < 1012; ++i) 83 | outfile.WriteBinaryInt(0, 1); 84 | 85 | uint namelen = dialogbox.nameofhashfile.GetLength() * 2; 86 | outfile.SetCodePage(CodePageClass::UNICODE); 87 | outfile.Write(dialogbox.nameofhashfile); 88 | outfile.SetCodePage(CodePageClass::ANSI); 89 | 90 | for (uint i = 1; i <= (80-namelen); ++i) 91 | outfile.WriteBinaryInt(0, 1); 92 | 93 | 94 | outfile.SetCodePage(CodePageClass::UNICODE); 95 | outfile.Write(dialogbox.category); 96 | int filler = 40 - (2 * dialogbox.category.GetLength()); 97 | outfile.SetCodePage(CodePageClass::ANSI); 98 | for (int i = 0; i < filler; ++i) 99 | outfile.WriteBinaryInt(0, 1); 100 | 101 | 102 | uint total; 103 | foreach (NameListClass n in list) { 104 | 105 | String hash = n.Name(); 106 | for (int i = 0; i < 16; ++i) { 107 | uint val = uint::Convert(hash.SubString((i * 2), 2), int::HEX); 108 | outfile.WriteBinaryInt(val, 1); 109 | } 110 | outfile.WriteBinaryInt(0, 2); 111 | Console.WriteLine("added " + hash); 112 | total++; 113 | 114 | } 115 | Console.WriteLine (total + " hashes were added to the file: " + c.ExportFolder() + "\\" + dialogbox.nameofhashfile + ".hash"); 116 | 117 | } 118 | } 119 | } 120 | } 121 | } 122 | -------------------------------------------------------------------------------- /Import Hashes from Text File.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Import Hashes from Text File.EnPack -------------------------------------------------------------------------------- /Keyword Harvester.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Keyword Harvester.EnPack -------------------------------------------------------------------------------- /Keyword search with exclusion list.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Keyword search with exclusion list.EnPack -------------------------------------------------------------------------------- /LNK Files for MAC Address.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/LNK Files for MAC Address.EnPack -------------------------------------------------------------------------------- /Limewire Search & Bookmark.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Limewire Search & Bookmark.EnPack -------------------------------------------------------------------------------- /List filetypes by extension_with_size_v7.EnScript: -------------------------------------------------------------------------------- 1 | // lance@forensickb.com 2 | // 04/1/2015 3 | 4 | 5 | class MainClass { 6 | NameListClass list; 7 | void Parse(CaseClass &c){ 8 | for (ItemIteratorClass iter(c, NOPROXY | NORECURSE); EntryClass e = iter.GetNextEntry();) { 9 | if (e.Extension()){ 10 | String lowerext = e.Extension(); 11 | lowerext.ToLower(); 12 | NameListClass temp = list.Find(lowerext); 13 | if (temp){ 14 | NameListClass t = new NameListClass (temp, e.Name(),0); 15 | new NameListClass (t, e.LogicalSize(),0); 16 | } 17 | else { 18 | NameListClass temp2 = new NameListClass (list, lowerext,0); 19 | NameListClass temp3 = new NameListClass (temp2, e.Name(),0); 20 | new NameListClass (temp3, e.LogicalSize(),0); 21 | } 22 | } 23 | } 24 | } 25 | 26 | void Main(CaseClass c) { 27 | SystemClass::ClearConsole(1); 28 | list = new NameListClass(); 29 | LocalFileClass local(); 30 | local.Open(c.ExportFolder() + "\\" + "File Count by extension.csv", FileClass::WRITE); 31 | Parse(c); 32 | 33 | foreach (NameListClass l in list){ 34 | long totalsize; 35 | 36 | foreach(NameListClass e in l){ 37 | foreach (NameListClass s in e){ 38 | totalsize+= long::Convert(s.Name(), int::DECIMAL); 39 | } 40 | } 41 | Console.WriteLine("Extension: " + l.Name() + "\tCount: " + l.Count() + "\tSize:" + totalsize); 42 | local.WriteLine(l.Name() + "\t" + l.Count() + "\t" + totalsize); 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /List filetypes by extensions.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | lance@forensickb.com 4 | May 16, 2008 5 | 6 | This EnScript will display all the extensions for all the evidence loaded in EnCase and then the count for the number of files with a given extension. Output is displayed in the CONSOLE tab of EnCase. 7 | 8 | The EnScript also creates a local file named "File Count by extension.csv" in the EnCase default export folder that will open by default (based on the .csv extension) by Excel. It can then be sorted how you wish. 9 | 10 | */ 11 | 12 | 13 | 14 | 15 | 16 | class MainClass { 17 | NameListClass list; 18 | 19 | void Parse(EntryClass entry){ 20 | forall (EntryClass e in entry){ 21 | if (e.Extension()){ 22 | String lowerext = e.Extension(); 23 | lowerext.ToLower(); 24 | NameListClass temp = list.Find(lowerext); 25 | 26 | if (temp){ 27 | new NameListClass (temp, e.Name(),0); 28 | } 29 | 30 | else { 31 | 32 | NameListClass temp2 = new NameListClass (list, lowerext,0); 33 | new NameListClass (temp2, e.Name(),0); 34 | 35 | 36 | } 37 | } 38 | } 39 | } 40 | 41 | void Main(CaseClass c) { 42 | SystemClass::ClearConsole(); 43 | list = new NameListClass(); 44 | LocalFileClass local(); 45 | local.Open(c.ExportFolder() + "\\" + "File Count by extension.csv", FileClass::WRITE); 46 | Parse(c.EntryRoot()); 47 | 48 | foreach (NameListClass l in list){ 49 | Console.WriteLine(l.Name() + "\t" + l.Count()); 50 | local.WriteLine(l.Name() + "\t" + l.Count()); 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /Luhn Credit Card Validation.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance (at) forensickb.com 3 | June 2, 2008 4 | 5 | */ 6 | 7 | 8 | class MyDialog: DialogClass { 9 | String ccNum, Desc; 10 | ButtonClass _Help; 11 | StringEditClass _ccNum; 12 | 13 | 14 | MyDialog(): 15 | Desc( "LUHN Credit Card Number Validation v1.0\n" 16 | "This EnScript uses the LUHN algorithm to test the entered credit card\n" 17 | " number and then tries to identify the credit card type by the first few digits.\n\n" 18 | "lance (at) forensickb.com\n" 19 | "June 02, 2008" 20 | ); 21 | 22 | DialogClass(null, "LUHN credit card number validation"), 23 | _Help(this, "Info", START, START, DEFAULT, DEFAULT, 0), 24 | _ccNum(this, "Credit card number:", START, NEXT, 200, 10, 0, ccNum, 20, WindowClass::REQUIRED) 25 | 26 | { 27 | } 28 | 29 | virtual void ChildEvent(const EventClass &event) { 30 | if (_Help.Matches(event)) 31 | SystemClass::Message(SystemClass::MBOK, "Info", Desc); 32 | DialogClass::ChildEvent(event); 33 | } 34 | 35 | virtual bool CanClose() { 36 | return true; 37 | } 38 | } 39 | 40 | class MainClass { 41 | 42 | String digits, type; 43 | 44 | void Main() { 45 | MyDialog dialogbox(); 46 | if (dialogbox.Execute() == SystemClass::OK){ 47 | bool luhn =isValidNumber(dialogbox.ccNum); 48 | 49 | if (dialogbox.ccNum.GetLength() < 13 || dialogbox.ccNum.GetLength() > 19){ 50 | Console.WriteLine("The credit card number is either too short or too long. (<13 or >19)"); 51 | SystemClass::Message(0, "Notice", "The credit card number is either too short or too long. (<13 or >19)"); 52 | } 53 | 54 | else if (type.Contains("Unknown")){ 55 | Console.WriteLine("The credit card number passes the LUHN validation test, but the number sequence does not belong to a known vendor"); 56 | SystemClass::Message(0, "Notice", "The credit card passes the LUHN validation test, but the number sequence does not belong to a known vendor"); 57 | } 58 | else if (luhn) { 59 | Console.WriteLine ("The credit card number entered passes the LUHN validation test and is identified as belonging to " + type); 60 | SystemClass::Message(0, "Notice", "The credit card number entered passes the LUHN validation test and is identified as belonging to " + type); 61 | } 62 | else{ 63 | Console.WriteLine ("The credit card number entered is *not* valid"); 64 | SystemClass::Message(0, "Notice", "The credit card number entered is *not* valid"); 65 | } 66 | } 67 | } 68 | 69 | 70 | bool isValidNumber(String &number) { 71 | 72 | int len = number.GetLength(); 73 | 74 | if (len == 16){ 75 | String begining1 = number.SubString(0, 1); 76 | String begining2 = number.SubString(0, 2); 77 | String begining4 = number.SubString(0, 4); 78 | if (begining1 == "4") 79 | type = "VISA"; 80 | else if (begining2 == "51" || begining2 == "52" || begining2 == "53" || begining2 == "54" || begining2 == "55") 81 | type = "MASTERCARD"; 82 | else if (begining4 == "6011") 83 | type = "DISCOVER"; 84 | else if (begining2 == "35") 85 | type = "JCB"; 86 | else { 87 | type = "Unknown Type-16"; 88 | } 89 | } 90 | else if (len == 15){ 91 | String begining2 = number.SubString(0, 2); 92 | String begining4 = number.SubString(0, 4); 93 | if (begining2 == "34" || begining2 == "37") 94 | type = "AMEX"; 95 | else if (begining4 == "1800" || begining4 == "2131") 96 | type = "JCB"; 97 | else { 98 | type = "Unknown Type-15"; 99 | } 100 | } 101 | else if (len ==14) { 102 | String begining2 = number.SubString(0, 2); 103 | String begining3 = number.SubString(0, 3); 104 | if (begining2 == "36" || begining2 == "38" || begining3 == "300" || begining3 == "301" || begining3 == "302" || begining3 == "303" || begining3 == "304" || begining3 == "305") 105 | type = "DINERS"; 106 | else { 107 | type = "Unknown Type-14"; 108 | 109 | } 110 | } 111 | else if (len == 13){ 112 | String begining1 = number.SubString(0, 1); 113 | if (begining1 == "4") 114 | type = "VISA"; 115 | else { 116 | type == "Unknown Type-13"; 117 | 118 | } 119 | } 120 | 121 | int sum; 122 | bool alternate = false; 123 | int n; 124 | for (int i = number.GetLength() - 1; i >= 0; i--) { 125 | n = int::Convert(number[i], int::DECIMAL); 126 | 127 | if (alternate) { 128 | n *= 2; 129 | if (n > 9) { 130 | n = (n % 10) + 1; 131 | } 132 | } 133 | 134 | sum += n; 135 | alternate = !alternate; 136 | } 137 | return (sum % 10 == 0); 138 | } 139 | } 140 | -------------------------------------------------------------------------------- /Maine State Police Movie Carver.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Maine State Police Movie Carver.EnPack -------------------------------------------------------------------------------- /Make LEF based on extension and High ASCII filenames.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Make LEF based on extension and High ASCII filenames.EnPack -------------------------------------------------------------------------------- /Make LEF from condition.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Make LEF from condition.EnPack -------------------------------------------------------------------------------- /Make Thumbnails of selected video files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Make Thumbnails of selected video files.EnPack -------------------------------------------------------------------------------- /Merge two hash sets.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Merge two hash sets.EnPack -------------------------------------------------------------------------------- /Office Metadata.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Office Metadata.EnPack -------------------------------------------------------------------------------- /Office Metadata_Includes_Office_2007.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Office Metadata_Includes_Office_2007.EnPack -------------------------------------------------------------------------------- /Output to DD file.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Output to DD file.EnPack -------------------------------------------------------------------------------- /Output to DD image file and redact selected files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Output to DD image file and redact selected files.EnPack -------------------------------------------------------------------------------- /Parse Event Logs from unallocated.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse Event Logs from unallocated.EnPack -------------------------------------------------------------------------------- /Parse Link Files to EXCEL Spreadsheet with UNIX dates for sorting.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse Link Files to EXCEL Spreadsheet with UNIX dates for sorting.EnPack -------------------------------------------------------------------------------- /Parse PST Email Metadata to Excel Spreadsheet.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse PST Email Metadata to Excel Spreadsheet.EnPack -------------------------------------------------------------------------------- /Parse RecentFileCache.bcf and bookmark files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse RecentFileCache.bcf and bookmark files.EnPack -------------------------------------------------------------------------------- /Parse RecentFileCache.bcf and bookmark files_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse RecentFileCache.bcf and bookmark files_v7.EnPack -------------------------------------------------------------------------------- /Parse TIFF for MetaData.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse TIFF for MetaData.EnPack -------------------------------------------------------------------------------- /Parse USNJRNL.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse USNJRNL.EnPack -------------------------------------------------------------------------------- /Parse USNJRNL_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse USNJRNL_v7.EnPack -------------------------------------------------------------------------------- /Parse USNJRNLv1.1.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse USNJRNLv1.1.EnPack -------------------------------------------------------------------------------- /Parse USNJRNLv1.2_Export_CSV.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse USNJRNLv1.2_Export_CSV.EnPack -------------------------------------------------------------------------------- /Parse WIFI Profiles.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse WIFI Profiles.EnPack -------------------------------------------------------------------------------- /Parse Wireless Access Points Win7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse Wireless Access Points Win7.EnPack -------------------------------------------------------------------------------- /Parse Wireless Access Points Win7.EnScript: -------------------------------------------------------------------------------- 1 | class MainClass { 2 | void Main(CaseClass c) { 3 | SystemClass::ClearConsole(1); 4 | if (c){ 5 | BookmarkFolderClass folder(c.BookmarkRoot(), "Wireless Networks"); 6 | 7 | forall (EntryClass entry in c.EntryRoot()){ 8 | if (entry.Name().Compare("software") == 0){ 9 | Console.Write("Checking..... " + entry.FullPath()); 10 | VolumeClass volume = entry.MountVolume(false); 11 | if (volume){ 12 | EntryClass e1 = volume.FirstChild(); 13 | EntryClass e2 = e1.Find("Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Signatures\\Unmanaged"); 14 | if (e2){ 15 | Console.WriteLine("\n----------------------------------------------------------------"); 16 | foreach (EntryClass e3 in e2){ 17 | BookmarkFolderClass folder2(folder, e3.Name()); 18 | folder2.AddBookmark(entry, 0, 0, "Wireless Network Found", 0, BookmarkClass::LOWASCII); 19 | Console.WriteLine("Last Written: " + e3.Written().GetString()); 20 | folder2.AddNote("Last Written: " + e3.Written().GetString(), 0, 0, 0); 21 | 22 | 23 | foreach (EntryClass e in e3){ 24 | if (e.Name() == "Description"){ 25 | String desc; 26 | EntryFileClass file(); 27 | file.Open(e); 28 | file.ReadString(desc); 29 | Console.WriteLine("SSID: " + desc); 30 | folder2.AddNote("SSID: " + desc, 0, 0, 0); 31 | //AddNote (const String &Comment, int indent, int Size, uint Options 32 | } 33 | if (e.Name() == "DnsSuffix"){ 34 | String suffix; 35 | EntryFileClass file(); 36 | file.Open(e); 37 | file.ReadString(suffix); 38 | Console.WriteLine("DNS Suffix: " + suffix); 39 | folder2.AddNote("DNS Suffix: " + suffix, 0, 0, 0); 40 | 41 | 42 | } 43 | if (e.Name() == "FirstNetwork"){ 44 | String first; 45 | EntryFileClass file(); 46 | file.Open(e); 47 | file.ReadString(first); 48 | Console.WriteLine("FirstNetwork: " + first); 49 | folder2.AddNote("FirstNetwork: " + first, 0, 0, 0); 50 | 51 | 52 | } 53 | if (e.Name() == "DefaultGatewayMac"){ 54 | String mac; 55 | EntryFileClass file(); 56 | file.Open(e); 57 | for (uint x =1; x<= 6; x++){ 58 | uint m = file.ReadBinaryInt(1); 59 | if (x< 6){ 60 | String temp = String::FormatInt(m, int::HEX); 61 | if (temp.GetLength() == 1) 62 | temp = "0" + temp; 63 | mac += temp + ":"; 64 | } 65 | else{ 66 | mac += String::FormatInt(m, int::HEX); 67 | } 68 | } 69 | mac.ToUpper(); 70 | Console.WriteLine("BSSID/MAC: " + mac); 71 | folder2.AddNote("BSSID/MAC: " + mac, 0, 0, 0); 72 | } 73 | } 74 | Console.WriteLine(""); 75 | } 76 | } 77 | else 78 | Console.WriteLine("........Key not found: " + "Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Signatures\\Unmanaged"); 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Parse Wireless Access Points in Vista_Win7_Win8_EnCaseV7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse Wireless Access Points in Vista_Win7_Win8_EnCaseV7.EnPack -------------------------------------------------------------------------------- /Parse each NTUSER.DAT for RecentDocs to EXCEL_v6.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse each NTUSER.DAT for RecentDocs to EXCEL_v6.EnPack -------------------------------------------------------------------------------- /Parse recent RDP sessions from NTUSER.DAT files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse recent RDP sessions from NTUSER.DAT files.EnPack -------------------------------------------------------------------------------- /Parse selected Executable for String Resources.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse selected Executable for String Resources.EnPack -------------------------------------------------------------------------------- /Parse setupapi.dev.log for USB info_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse setupapi.dev.log for USB info_v7.EnPack -------------------------------------------------------------------------------- /Parse setupapidev.log for USB info.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Parse setupapidev.log for USB info.EnPack -------------------------------------------------------------------------------- /Quickly Calculate MD5, SHA1 and entropy of selected files_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Quickly Calculate MD5, SHA1 and entropy of selected files_v7.EnPack -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # enscript 2 | general repository for compiled and uncompiled enscripts 3 | -------------------------------------------------------------------------------- /Read Windows 7 Recycle Bin $I Files.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Windows 7 Recycle Bin Report (Version: 1.0) 4 | 5 | Select $I files found in the Windows 7 $Recycle.Bin folder that you want decoded 6 | 7 | Enscript will create a tab-delimited file in the case export folder 8 | 9 | Created by: Bruce W. Pixley, CISSP, EnCE 10 | Date: 12/1/2010 11 | 12 | */ 13 | 14 | class MainClass { 15 | void Main(CaseClass c) { // Execution starts here 16 | 17 | LocalFileClass local(); 18 | 19 | SystemClass::ClearConsole(1); // Clear the console 20 | 21 | EntryFileClass ef(); 22 | 23 | local.Open(c.ExportFolder() + "\\RecycleBin.txt", FileClass::WRITE); // Settings for tab-delimited export and write column header 24 | 25 | local.Write("Windows Recycle Bin Record" + "\t" + "Deleted File Name" + "\t" + "Deleted File Size" + "\t" + "Deleted Date/Time" + "\n"); 26 | 27 | forall (EntryClass e in c.EntryRoot()) { 28 | 29 | if(e.IsSelected()) { 30 | 31 | ulong filesize; // Set variables to store file information 32 | String filename; 33 | DateClass deleted(); 34 | 35 | Console.WriteLine("Selected File: " + e.FullPath() + "\n"); // Write to console 36 | 37 | ef = new EntryFileClass(); 38 | ef.Open(e); 39 | ef.SetCodePage(CodePageClass::UNICODE); 40 | 41 | do { 42 | 43 | ef.Skip(8); 44 | 45 | filesize = ef.ReadBinaryInt(8,false); // Read deleted file size 46 | 47 | ef.ReadWinDate(deleted); // Read 8-byte deleted date/time stamp 48 | 49 | ef.ReadString(filename, -1, "\x00\x00"); // Read Unicode filename; ends in Hex 00 00 50 | 51 | Console.WriteLine("Deleted File Name: " + filename); // Write to console 52 | 53 | Console.WriteLine("Deleted File Size: " + filesize); // Write to console 54 | 55 | Console.WriteLine("Deleted Date/Time: " + 56 | deleted.GetString(DateClass::GetDateFormat(), 57 | DateClass::GetTimeFormat(), 58 | e.GetTimeZoneBias())); // Write to console and get time zone setting from case 59 | 60 | Console.WriteLine("\n" + "Writing output to tab-delimited TXT file" + "\n"); 61 | 62 | local.Write(e.FullPath() + "\t" + 63 | filename + "\t" + 64 | filesize + "\t" + 65 | deleted.GetString(DateClass::GetDateFormat(),DateClass::GetTimeFormat(),e.GetTimeZoneBias()) + 66 | "\n"); // Write output to tab-delimited TXT file 67 | 68 | Console.WriteLine("[End of File]" + "\n"); // Write to console 69 | 70 | break; // Finished reading file; break 71 | 72 | } while (ef.Peek() != FileClass::EOF); // Close DO loop 73 | 74 | } // Close IF loop 75 | 76 | } // Close FORALL loop 77 | 78 | Console.WriteLine("\n" + "DING! Enscript Finished"); 79 | 80 | } 81 | 82 | } // Execution stops here 83 | -------------------------------------------------------------------------------- /Registry Last Written Timestamp bookmark.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Registry Last Written Timestamp bookmark.EnPack -------------------------------------------------------------------------------- /Repair corrupted event logs.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Repair corrupted event logs.EnPack -------------------------------------------------------------------------------- /Restore Point Information from Change.log.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Restore Point Information from Change.log.EnPack -------------------------------------------------------------------------------- /Restore Point Information from rp.log.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Restore Point Information from rp.log.EnPack -------------------------------------------------------------------------------- /SafeBoot Info v1.3.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/SafeBoot Info v1.3.EnPack -------------------------------------------------------------------------------- /Search & Parse 'nk' Reg keys.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Search & Parse 'nk' Reg keys.EnPack -------------------------------------------------------------------------------- /Search & Parse 'vk' Reg keys.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Search & Parse 'vk' Reg keys.EnPack -------------------------------------------------------------------------------- /Search for win32 TIMESTAMP.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Search for win32 TIMESTAMP.EnPack -------------------------------------------------------------------------------- /Search in ROT13 & XOR.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Search in ROT13 & XOR.EnPack -------------------------------------------------------------------------------- /Search_keyword_and_parse_till_double_CRLF.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Search_keyword_and_parse_till_double_CRLF.EnPack -------------------------------------------------------------------------------- /Send data to Splunk.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Send data to Splunk.EnPack -------------------------------------------------------------------------------- /Send data to Splunk_v6.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Send data to Splunk_v6.EnPack -------------------------------------------------------------------------------- /Seperate_FTP_sessions.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Seperate_FTP_sessions.EnPack -------------------------------------------------------------------------------- /Service Pack and Patch Information.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Service Pack and Patch Information.EnPack -------------------------------------------------------------------------------- /Show only path of folders containing only certain files, count and size.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Show only path of folders containing only certain files, count and size.EnPack -------------------------------------------------------------------------------- /Skype Chatsync IP addresses.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Skype Chatsync IP addresses.EnPack -------------------------------------------------------------------------------- /Triage Media.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Triage Media.EnPack -------------------------------------------------------------------------------- /Tutorial IV.EnScript: -------------------------------------------------------------------------------- 1 | 2 | 3 | class MainClass { 4 | void Main(CaseClass c) { 5 | forall (EntryClass entry in c.EntryRoot()){ 6 | if (entry.Name() == "boot.ini"){ 7 | Console.WriteLine(entry.FullPath()); 8 | EntryFileClass file; // create EntryFileClass variable 9 | file = new EntryFileClass(); // initialize the variable 10 | file.Open(entry); // open the file currently pointed to by the entry variable 11 | file.SetCodePage(CodePageClass::ANSI); // set the codepage to ANSI 12 | String text; // create a string variable to hold a line of text as we read the file, line by line 13 | do { // enter a DO loop and continue until the condition is met on the WHILE line below 14 | file.ReadString(text, -1, "\x0d\x0a"); // read a line of text until a carriage return and line feed charater is encountered 15 | if (text.Contains("default=")){ // if the line we just read contains "default=" then its the line we want 16 | Console.WriteLine(text); // If the line contains the "default=" text then print the entire line to the console 17 | break; // break out of the loop since we found what we wanted and there is no need to continue reading 18 | } 19 | 20 | } while (file.Peek() != FileClass::EOF); // exit the loop when we reach the end of the file, we only get here if the data we are looking for is never found 21 | } 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /USB Device History - System Volume Information - Selected Only.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/USB Device History - System Volume Information - Selected Only.EnPack -------------------------------------------------------------------------------- /USB Device History - System Volume Information.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/USB Device History - System Volume Information.EnPack -------------------------------------------------------------------------------- /USB Device History v0.5 122707.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/USB Device History v0.5 122707.EnPack -------------------------------------------------------------------------------- /USB Device History v0.5 122707.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance mueller 3 | digitdetective@gmail.com 4 | http://www.forensickb.com 5 | July 21, 2007 6 | 7 | */ 8 | 9 | class MainClass { 10 | String device, 11 | type, 12 | vendor, 13 | product, 14 | friendlyname, 15 | prefixid, 16 | serial, 17 | Siginhex, 18 | USB, 19 | postfix; 20 | 21 | uint startprodname, 22 | stopprodname, 23 | starttypename, 24 | stoptypename, 25 | startvenname, 26 | stopvenname, 27 | signature, 28 | offset; 29 | 30 | DateClass lastwrittendate; 31 | 32 | NameListClass prefixids, 33 | USBserial; 34 | 35 | 36 | MainClass() : 37 | prefixids(), 38 | USBserial() 39 | { 40 | 41 | } 42 | 43 | void GetRoots(VolumeClass &volume, EntryClass &Select, EntryClass &DefaultCC, EntryClass &MountedDevices, EntryClass &USBSTOR, EntryClass &DeviceClass1, EntryClass &DeviceClass2){ 44 | EntryClass SystemBase = volume.FirstChild(); 45 | Select = SystemBase.Find("Select\\Current"); 46 | MountedDevices = SystemBase.Find("MountedDevices"); 47 | 48 | 49 | EntryFileClass selectfile(); 50 | if (selectfile.Open(Select)){ 51 | selectfile.SetCodePage(0); 52 | uint cc = selectfile.ReadBinaryInt(4, false); // read the default control set 53 | String defaultcc = String::FormatInt(cc, int::BaseTypes base=int::DECIMAL); 54 | DefaultCC = SystemBase.Find("ControlSet00" + defaultcc); 55 | USBSTOR = DefaultCC.Find("Enum\\USBSTOR"); 56 | DeviceClass1 = DefaultCC.Find("Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"); 57 | DeviceClass2 = DefaultCC.Find("Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"); 58 | } 59 | } 60 | 61 | void GetUSBSTOR(EntryClass &USBSTOR){ 62 | Console.WriteLine("USBSTOR:\nType\t Vendor\t Product\t Serial_Number\t Friendly_Name\t USB_Driver Last_Written_Date \t ParentIDPrefix"); 63 | foreach (EntryClass e in USBSTOR){ 64 | EntryClass tmp; 65 | device = e.Name(); 66 | 67 | starttypename = 0; 68 | stoptypename = device.Find("&"); 69 | type = device.SubString(starttypename, stoptypename); 70 | 71 | startvenname = device.Find("&Ven_"); 72 | stopvenname = device.Find("&", startvenname+1); 73 | vendor = device.SubString(startvenname+5, stopvenname-(startvenname+5)); 74 | 75 | startprodname = device.Find("Prod_"); 76 | stopprodname = device.Find("&", startprodname, -1,0); 77 | product = device.SubString(startprodname+5, stopprodname-(startprodname+5)); 78 | foreach (EntryClass e2 in e){ // Recurse into Serialnumber folder to get device details 79 | serial = e2.Name(); 80 | tmp = e2.Find("FriendlyName"); 81 | if (tmp){ 82 | EntryFileClass tempfile(); 83 | if (tempfile.Open(tmp)){ 84 | tempfile.SetCodePage(CodePageClass::UNICODE); 85 | tempfile.ReadString(friendlyname); 86 | tempfile.Close(); 87 | tmp = e2.Find("ParentIdPrefix"); 88 | if (tmp && tempfile.Open(tmp)){ 89 | tempfile.SetCodePage(CodePageClass::UNICODE); 90 | tempfile.ReadString(prefixid); 91 | tempfile.Close(); 92 | new NameListClass (prefixids, prefixid); 93 | new NameListClass (USBserial, serial); 94 | } 95 | else 96 | prefixid = "NONE"; 97 | Console.WriteLine(type + "\t" + vendor + "\t" + product + "\t" + serial + "\t" + friendlyname + "\t" + e2.Written().GetString(DateClass::SHOWTIME) + "\t" + prefixid); 98 | } 99 | } 100 | } 101 | } 102 | } 103 | 104 | void GetMountedDevices(EntryClass &MountedDevices){ 105 | Console.WriteLine("\n\n\nMounted_Devices:"); 106 | foreach (EntryClass e in MountedDevices){ 107 | postfix=""; 108 | if (e.Name().Contains("DosDevices")){ 109 | EntryFileClass tempfile(); 110 | if (tempfile.Open(e)){ 111 | tempfile.SetCodePage(0); 112 | if (e.LogicalSize() == 12){ 113 | signature = tempfile.ReadBinaryInt(4); 114 | Siginhex = String::FormatInt(signature, int::BaseTypes base=int::HEX); 115 | offset = tempfile.ReadBinaryInt(8); 116 | Console.WriteLine(e.Name() + "\t" + "DiskSignature: " + Siginhex + "\t" + "VolumeByteOffsetStart: " + offset); 117 | } 118 | else { 119 | tempfile.SetCodePage(CodePageClass::UNICODE); 120 | tempfile.ReadString(USB); 121 | 122 | foreach (NameListClass n in prefixids){ 123 | //Console.WriteLine(n.Name()); 124 | if (USB.Contains(n.Name())){ 125 | uint index = n.Index(); 126 | String serial = USBserial.GetChild(index).Name(); 127 | postfix = "USB Device Serial#: " + serial + " was last assigned to this drive letter"; 128 | 129 | } 130 | } 131 | Console.WriteLine(e.Name() + "\t" + USB + "\t" + postfix); 132 | } 133 | } 134 | } 135 | } 136 | } 137 | 138 | void GetDevices1 (EntryClass &DeviceClass1){ 139 | Console.WriteLine("\n\n\n\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:\nType\tVendor\tProduct\tRevision\tSerial_Number\tDriver\tLast_Written_Date"); 140 | foreach (EntryClass e in DeviceClass1){ 141 | if (e.Name().Contains("USBSTOR")){ 142 | String name = e.Name().SubString(21, e.Name().GetLength() - 21); 143 | name.Replace("&Prod_", "\t"); 144 | name.Replace("&Rev_", "\t"); 145 | name.Replace("#","\t"); 146 | Console.WriteLine("Disk\t" + name + "\t" + e.Written().GetString(DateClass::SHOWTIME)); 147 | } 148 | 149 | //Console.WriteLine(e.Name()); 150 | } 151 | } 152 | 153 | void GetDevices2 (EntryClass &DeviceClass2){ 154 | Console.WriteLine("\n\n\n\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:\nType1\tType2\tSerial_Number\tSignaure\tOffset\tLength\tDriver\tLast_Written_Date"); 155 | foreach (EntryClass e in DeviceClass2){ 156 | 157 | 158 | String name = e.Name().SubString(4, e.Name().GetLength() - 4); 159 | if (name.Contains("IDE")){ 160 | name.Replace("#{", "\t\t\t\t"); 161 | name.Replace("#", "\t"); 162 | 163 | } 164 | else if (name.Contains("SCSI")){ 165 | name.Replace("#{", "\t\t\t\t"); 166 | name.Replace("#", "\t"); 167 | } 168 | else if (name.Contains("STORAGE#VOLUME")){ 169 | name.Replace("OFFSET", "\t"); 170 | name.Replace("#", "\t"); 171 | name.Replace("SIGNATURE", "\t"); 172 | name.Replace("LENGTH","\t"); 173 | } 174 | else if (name.Contains("STORAGE#Removable")){ 175 | name.Replace("RM#", "\t\t\t\t"); 176 | name.Replace("#", "\t"); 177 | } 178 | else if (name.Contains("USBSTOR")){ 179 | name.Replace("#{", "\t\t\t"); 180 | name.Replace("#", "\t"); 181 | } 182 | 183 | Console.WriteLine(name + "\t" + e.Written().GetString(DateClass::SHOWTIME)); 184 | 185 | } 186 | } 187 | 188 | void Main(CaseClass c) { 189 | SystemClass::ClearConsole(); 190 | if (c) { 191 | forall (EntryClass entry in c.EntryRoot()){ 192 | if ((entry.FullPath().Contains("system32\\config") && !entry.FullPath().Contains("regback"))){ 193 | VolumeClass volume; 194 | if (entry.Name().Compare("SYSTEM") == 0){ 195 | //Console.WriteLine(entry.FullPath()); 196 | volume = entry.MountVolume(false); 197 | if (volume){ 198 | EntryClass Select, DefaultCC, MountedDevices, USBSTOR, DeviceClass1, DeviceClass2; 199 | GetRoots(volume, Select, DefaultCC, MountedDevices, USBSTOR, DeviceClass1, DeviceClass2); 200 | if (Select && DefaultCC && MountedDevices && USBSTOR && DeviceClass1 && DeviceClass2){ 201 | Console.WriteLine ("--------------------------------------------------------------------------------------------------------------\nThe following information is from " + entry.FullPath() + ":"); 202 | GetUSBSTOR (USBSTOR); 203 | GetDevices1(DeviceClass1); 204 | GetDevices2(DeviceClass2); 205 | GetMountedDevices(MountedDevices); 206 | } 207 | } 208 | } 209 | } 210 | } 211 | } 212 | else 213 | SystemClass::Message(16, "Error","You must first have a case open!"); 214 | } 215 | } 216 | -------------------------------------------------------------------------------- /USB Device History v0.5 records.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance mueller 3 | digitdetective@gmail.com 4 | http://www.forensickb.com 5 | July 21, 2007 6 | 7 | records tab recording by james habben - james.habben@encase.com 8 | 9 | */ 10 | include "GSI_Basic" 11 | 12 | class MainClass { 13 | String device, 14 | type, 15 | vendor, 16 | product, 17 | friendlyname, 18 | prefixid, 19 | serial, 20 | Siginhex, 21 | USB, 22 | postfix; 23 | 24 | uint startprodname, 25 | stopprodname, 26 | starttypename, 27 | stoptypename, 28 | startvenname, 29 | stopvenname, 30 | signature, 31 | offset; 32 | 33 | DateClass lastwrittendate; 34 | 35 | NameListClass prefixids, 36 | USBserial; 37 | 38 | 39 | MainClass() : 40 | prefixids(), 41 | USBserial() 42 | { 43 | 44 | } 45 | 46 | void GetRoots(VolumeClass &volume, EntryClass &Select, EntryClass &DefaultCC, EntryClass &MountedDevices, EntryClass &USBSTOR, EntryClass &DeviceClass1, EntryClass &DeviceClass2){ 47 | EntryClass SystemBase = volume.FirstChild(); 48 | Select = SystemBase.Find("Select\\Current"); 49 | MountedDevices = SystemBase.Find("MountedDevices"); 50 | 51 | 52 | EntryFileClass selectfile(); 53 | if (selectfile.Open(Select)){ 54 | selectfile.SetCodePage(0); 55 | uint cc = selectfile.ReadBinaryInt(4, false); // read the default control set 56 | String defaultcc = String::FormatInt(cc, int::BaseTypes base=int::DECIMAL); 57 | DefaultCC = SystemBase.Find("ControlSet00" + defaultcc); 58 | USBSTOR = DefaultCC.Find("Enum\\USBSTOR"); 59 | DeviceClass1 = DefaultCC.Find("Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"); 60 | DeviceClass2 = DefaultCC.Find("Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"); 61 | } 62 | } 63 | 64 | void GetUSBSTOR(EntryClass &USBSTOR, RecordFolderClass &rf){ 65 | Console.WriteLine("USBSTOR:\nType\t Vendor\t Product\t Serial_Number\t Friendly_Name\t USB_Driver Last_Written_Date \t ParentIDPrefix"); 66 | RecordFolderClass f; 67 | f = new RecordFolderClass(rf, "USB STOR", USBSTOR.GetVolume()); 68 | foreach (EntryClass e in USBSTOR){ 69 | EntryClass tmp; 70 | device = e.Name(); 71 | 72 | starttypename = 0; 73 | stoptypename = device.Find("&"); 74 | type = device.SubString(starttypename, stoptypename); 75 | 76 | startvenname = device.Find("&Ven_"); 77 | stopvenname = device.Find("&", startvenname+1); 78 | vendor = device.SubString(startvenname+5, stopvenname-(startvenname+5)); 79 | 80 | startprodname = device.Find("Prod_"); 81 | stopprodname = device.Find("&", startprodname, -1,0); 82 | product = device.SubString(startprodname+5, stopprodname-(startprodname+5)); 83 | foreach (EntryClass e2 in e){ // Recurse into Serialnumber folder to get device details 84 | serial = e2.Name(); 85 | tmp = e2.Find("FriendlyName"); 86 | if (tmp){ 87 | EntryFileClass tempfile(); 88 | if (tempfile.Open(tmp)){ 89 | tempfile.SetCodePage(CodePageClass::UNICODE); 90 | tempfile.ReadString(friendlyname); 91 | tempfile.Close(); 92 | tmp = e2.Find("ParentIdPrefix"); 93 | if (tmp && tempfile.Open(tmp)){ 94 | tempfile.SetCodePage(CodePageClass::UNICODE); 95 | tempfile.ReadString(prefixid); 96 | tempfile.Close(); 97 | new NameListClass (prefixids, prefixid); 98 | new NameListClass (USBserial, serial); 99 | } 100 | else 101 | prefixid = "NONE"; 102 | Console.WriteLine(type + "\t" + vendor + "\t" + product + "\t" + serial + "\t" + friendlyname + "\t" + e2.Written().GetString(DateClass::SHOWTIME) + "\t" + prefixid); 103 | EmailClass rec(f, friendlyname, 0, e, 0, 0); 104 | DataPropertyClass dp(); 105 | dp.NewDataPropertyType("Vendor", DataPropertyClass::STRING, vendor); 106 | dp.NewDataPropertyType("Product", DataPropertyClass::STRING, product); 107 | dp.NewDataPropertyType("Serial", DataPropertyClass::STRING, serial); 108 | dp.NewDataPropertyType("Friendly Name", DataPropertyClass::STRING, friendlyname); 109 | dp.NewDataPropertyType("Last Written", DataPropertyClass::DATE, e2.Written()); 110 | //new DataPropertyClass(dp, DataPropertyClass::PR_WRITTEN, e2.Written()); 111 | dp.NewDataPropertyType("Parent ID Prefix", DataPropertyClass::STRING, prefixid); 112 | rec.SetFields(dp); 113 | } 114 | } 115 | } 116 | } 117 | } 118 | 119 | void GetMountedDevices(EntryClass &MountedDevices, RecordFolderClass &rf){ 120 | Console.WriteLine("\nMounted_Devices:"); 121 | RecordFolderClass f; 122 | f = new RecordFolderClass(rf, "Mounted Devices", MountedDevices.GetVolume()); 123 | foreach (EntryClass e in MountedDevices){ 124 | postfix=""; 125 | if (e.Name().Contains("DosDevices")){ 126 | EntryFileClass tempfile(); 127 | if (tempfile.Open(e)){ 128 | tempfile.SetCodePage(0); 129 | if (e.LogicalSize() == 12){ 130 | signature = tempfile.ReadBinaryInt(4); 131 | Siginhex = String::FormatInt(signature, int::BaseTypes base=int::HEX); 132 | offset = tempfile.ReadBinaryInt(8); 133 | Console.WriteLine(e.Name() + "\t" + "DiskSignature: " + Siginhex + "\t" + "VolumeByteOffsetStart: " + offset); 134 | } 135 | else { 136 | tempfile.SetCodePage(CodePageClass::UNICODE); 137 | tempfile.ReadString(USB); 138 | 139 | foreach (NameListClass n in prefixids){ 140 | //Console.WriteLine(n.Name()); 141 | if (USB.Contains(n.Name())){ 142 | uint index = n.Index(); 143 | String serial = USBserial.GetChild(index).Name(); 144 | postfix = "USB Device Serial#: " + serial + " was last assigned to this drive letter"; 145 | } 146 | } 147 | Console.WriteLine(e.Name() + "\t" + USB + "\t" + postfix); 148 | } 149 | EmailClass rec(f, e.Name(), 0, e, 0, 0); 150 | DataPropertyClass dp(); 151 | dp.NewDataPropertyType("Disk Signature", DataPropertyClass::STRING, Siginhex); 152 | if (offset) 153 | dp.NewDataPropertyType("Volume Byte Offset Start", DataPropertyClass::INT, offset); 154 | dp.NewDataPropertyType("Device", DataPropertyClass::STRING, USB); 155 | dp.NewDataPropertyType("USB Device Serial", DataPropertyClass::STRING, serial); 156 | rec.SetFields(dp); 157 | Siginhex = ""; 158 | offset = 0; 159 | USB = ""; 160 | serial = ""; 161 | } 162 | } 163 | } 164 | } 165 | 166 | void GetDevices1 (EntryClass &DeviceClass1, RecordFolderClass &rf){ 167 | Console.WriteLine("\n\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:\nType\tVendor\tProduct\tRevision\tSerial_Number\tDriver\tLast_Written_Date"); 168 | RecordFolderClass f; 169 | f = new RecordFolderClass(rf, "Device Class 1", DeviceClass1.GetVolume()); 170 | foreach (EntryClass e in DeviceClass1){ 171 | if (e.Name().Contains("USBSTOR")){ 172 | String name = e.Name().SubString(21, e.Name().GetLength() - 21); 173 | name.Replace("&Prod_", "\t"); 174 | name.Replace("&Rev_", "\t"); 175 | name.Replace("#","\t"); 176 | Console.WriteLine("Disk\t" + name + "\t" + e.Written().GetString(DateClass::SHOWTIME)); 177 | EmailClass rec(f, StringHelperClass::SubStringFromDelimiter(name, "\t"), 0, e, 0, 0); 178 | DataPropertyClass dp(); 179 | dp.NewDataPropertyType("Type", DataPropertyClass::STRING, "Disk"); 180 | dp.NewDataPropertyType("Vendor", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 181 | dp.NewDataPropertyType("Product", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 182 | dp.NewDataPropertyType("Revision", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 183 | dp.NewDataPropertyType("Serial Number", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 184 | dp.NewDataPropertyType("Driver", DataPropertyClass::STRING, name); 185 | dp.NewDataPropertyType("Last Written", DataPropertyClass::DATE, e.Written()); 186 | //new DataPropertyClass(dp, DataPropertyClass::PR_WRITTEN, e.Written()); 187 | rec.SetFields(dp); 188 | 189 | } 190 | 191 | //Console.WriteLine(e.Name()); 192 | } 193 | } 194 | 195 | void GetDevices2 (EntryClass &DeviceClass2, RecordFolderClass &rf){ 196 | Console.WriteLine("\n\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:\nType1\tType2\tSerial_Number\tSignaure\tOffset\tLength\tDriver\tLast_Written_Date"); 197 | RecordFolderClass f; 198 | f = new RecordFolderClass(rf, "Device Class 2", DeviceClass2.GetVolume()); 199 | foreach (EntryClass e in DeviceClass2){ 200 | 201 | 202 | String name = e.Name().SubString(4, e.Name().GetLength() - 4); 203 | if (name.Contains("IDE")){ 204 | name.Replace("#{", "\t{"); 205 | name.Replace("#", "\t"); 206 | } 207 | else if (name.Contains("SCSI")){ 208 | name.Replace("#{", "\t{"); 209 | name.Replace("#", "\t"); 210 | } 211 | else if (name.Contains("FDC")){ 212 | name.Replace("#{", "\t{"); 213 | name.Replace("#", "\t"); 214 | } 215 | else if (name.Contains("STORAGE#VOLUME")){ 216 | name.Replace("OFFSET", "\t"); 217 | name.Replace("#", "\t"); 218 | name.Replace("SIGNATURE", "\t"); 219 | name.Replace("LENGTH","\t"); 220 | } 221 | else if (name.Contains("STORAGE#Removable")){ 222 | name.Replace("RM#", "\t"); 223 | name.Replace("#", "\t"); 224 | } 225 | else if (name.Contains("USBSTOR")){ 226 | name.Replace("#{", "\t\t\t"); 227 | name.Replace("#", "\t"); 228 | } 229 | 230 | Console.WriteLine(name + "\t" + e.Written().GetString(DateClass::SHOWTIME)); 231 | EmailClass rec(f, StringHelperClass::SubStringFromDelimiter(name, "\t"), 0, e, 0, 0); 232 | DataPropertyClass dp(); 233 | dp.NewDataPropertyType("Type1", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 234 | dp.NewDataPropertyType("Type2", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 235 | dp.NewDataPropertyType("Serial Number", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 236 | dp.NewDataPropertyType("Signature", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 237 | dp.NewDataPropertyType("Offset", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 238 | dp.NewDataPropertyType("Length", DataPropertyClass::STRING, StringHelperClass::SubStringFromDelimiter(name, "\t", true)); 239 | dp.NewDataPropertyType("Driver", DataPropertyClass::STRING, name); 240 | dp.NewDataPropertyType("Last Written", DataPropertyClass::DATE, e.Written()); 241 | //new DataPropertyClass(dp, DataPropertyClass::PR_WRITTEN, e.Written()); 242 | rec.SetFields(dp); 243 | 244 | } 245 | } 246 | 247 | void Main(CaseClass c) { 248 | SystemClass::ClearConsole(1); 249 | if (c) { 250 | forall (EntryClass entry in c.EntryRoot()){ 251 | if ((entry.FullPath().Contains("system32\\config") && !entry.FullPath().Contains("regback"))){ 252 | VolumeClass volume; 253 | if (entry.Name().Compare("SYSTEM") == 0){ 254 | //Console.WriteLine(entry.FullPath()); 255 | volume = entry.MountVolume(true); 256 | if (volume){ 257 | EntryClass Select, DefaultCC, MountedDevices, USBSTOR, DeviceClass1, DeviceClass2; 258 | GetRoots(volume, Select, DefaultCC, MountedDevices, USBSTOR, DeviceClass1, DeviceClass2); 259 | if (Select && DefaultCC && MountedDevices && USBSTOR && DeviceClass1 && DeviceClass2){ 260 | RecordFolderClass rootfolder; 261 | rootfolder = new RecordFolderClass(null, "USB Device History", entry.GetVolume()); 262 | EmailClass rec(rootfolder, entry.Name(), 0, entry, 0, 0); 263 | DataPropertyClass dp(); 264 | new DataPropertyClass(dp, DataPropertyClass::PR_FULL_PATH, entry.FullPath()); 265 | rec.SetFields(dp); 266 | Console.WriteLine ("--------------------------------------------------------------------------------------------------------------\n" + 267 | "The following information is from " + entry.FullPath() + ":"); 268 | GetUSBSTOR (USBSTOR, rootfolder); 269 | GetDevices1(DeviceClass1, rootfolder); 270 | GetDevices2(DeviceClass2, rootfolder); 271 | GetMountedDevices(MountedDevices, rootfolder); 272 | Console.WriteLine("\n\n================================================================================================================"); 273 | Console.WriteLine("Results are also displayed in the Records tab.\nSee the 'Additional Fields' column or to view in columns:\n" + 274 | " -Right Click\n -Show Columns\n -uncheck and check 'Local Fields'\n -click OK"); 275 | Console.WriteLine("================================================================================================================"); 276 | } 277 | } 278 | } 279 | } 280 | } 281 | } 282 | else 283 | SystemClass::Message(16, "Error","You must first have a case open!"); 284 | } 285 | } 286 | -------------------------------------------------------------------------------- /USB Device History.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/USB Device History.EnPack -------------------------------------------------------------------------------- /USB Information_Windows 7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/USB Information_Windows 7.EnPack -------------------------------------------------------------------------------- /USB v0.4 Device History.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/USB v0.4 Device History.EnPack -------------------------------------------------------------------------------- /USB2 Device History.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance mueller 3 | digitdetective@gmail.com 4 | http://www.forensickb.com 5 | July 21, 2007 6 | 7 | */ 8 | 9 | class MainClass { 10 | String device, 11 | type, 12 | vendor, 13 | product, 14 | friendlyname, 15 | prefixid, 16 | serial, 17 | Siginhex, 18 | USB, 19 | postfix; 20 | 21 | uint startprodname, 22 | stopprodname, 23 | starttypename, 24 | stoptypename, 25 | startvenname, 26 | stopvenname, 27 | signature, 28 | offset; 29 | 30 | DateClass lastwrittendate; 31 | 32 | NameListClass prefixids, 33 | USBserial; 34 | 35 | 36 | MainClass() : 37 | prefixids(), 38 | USBserial() 39 | { 40 | 41 | } 42 | 43 | void GetRoots(VolumeClass &volume, EntryClass &Select, EntryClass &DefaultCC, EntryClass &MountedDevices, EntryClass &USBSTOR, EntryClass &DeviceClass1, EntryClass &DeviceClass2){ 44 | EntryClass SystemBase = volume.FirstChild(); 45 | Select = SystemBase.Find("Select\\Current"); 46 | MountedDevices = SystemBase.Find("MountedDevices"); 47 | 48 | 49 | EntryFileClass selectfile(); 50 | if (selectfile.Open(Select)){ 51 | selectfile.SetCodePage(0); 52 | uint cc = selectfile.ReadBinaryInt(4, false); // read the default control set 53 | String defaultcc = String::FormatInt(cc, int::BaseTypes base=int::DECIMAL); 54 | DefaultCC = SystemBase.Find("ControlSet00" + defaultcc); 55 | USBSTOR = DefaultCC.Find("Enum\\USBSTOR"); 56 | DeviceClass1 = DefaultCC.Find("Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"); 57 | DeviceClass2 = DefaultCC.Find("Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"); 58 | } 59 | } 60 | 61 | void GetUSBSTOR(EntryClass &USBSTOR){ 62 | Console.WriteLine("USBSTOR:\nType\t Vendor\t Product\t Serial_Number\t Friendly_Name\t USB_Driver Last_Written_Date \t ParentIDPrefix"); 63 | foreach (EntryClass e in USBSTOR){ 64 | EntryClass tmp; 65 | device = e.Name(); 66 | 67 | starttypename = 0; 68 | stoptypename = device.Find("&"); 69 | type = device.SubString(starttypename, stoptypename); 70 | 71 | startvenname = device.Find("&Ven_"); 72 | stopvenname = device.Find("&", startvenname+1); 73 | vendor = device.SubString(startvenname+5, stopvenname-(startvenname+5)); 74 | 75 | startprodname = device.Find("Prod_"); 76 | stopprodname = device.Find("&", startprodname, -1,0); 77 | product = device.SubString(startprodname+5, stopprodname-(startprodname+5)); 78 | foreach (EntryClass e2 in e){ // Recurse into Serialnumber folder to get device details 79 | serial = e2.Name(); 80 | tmp = e2.Find("FriendlyName"); 81 | if (tmp){ 82 | EntryFileClass tempfile(); 83 | if (tempfile.Open(tmp)){ 84 | tempfile.SetCodePage(CodePageClass::UNICODE); 85 | tempfile.ReadString(friendlyname); 86 | tempfile.Close(); 87 | tmp = e2.Find("ParentIdPrefix"); 88 | if (tmp && tempfile.Open(tmp)){ 89 | tempfile.SetCodePage(CodePageClass::UNICODE); 90 | tempfile.ReadString(prefixid); 91 | tempfile.Close(); 92 | new NameListClass (prefixids, prefixid); 93 | new NameListClass (USBserial, serial); 94 | } 95 | else 96 | prefixid = "NONE"; 97 | Console.WriteLine(type + "\t" + vendor + "\t" + product + "\t" + serial + "\t" + friendlyname + "\t" + e2.Written().GetString(DateClass::SHOWTIME) + "\t" + prefixid); 98 | } 99 | } 100 | } 101 | } 102 | } 103 | 104 | void GetMountedDevices(EntryClass &MountedDevices){ 105 | Console.WriteLine("\n\n\nMounted_Devices:"); 106 | foreach (EntryClass e in MountedDevices){ 107 | postfix=""; 108 | if (e.Name().Contains("DosDevices")){ 109 | EntryFileClass tempfile(); 110 | if (tempfile.Open(e)){ 111 | tempfile.SetCodePage(0); 112 | if (e.LogicalSize() == 12){ 113 | signature = tempfile.ReadBinaryInt(4); 114 | Siginhex = String::FormatInt(signature, int::BaseTypes base=int::HEX); 115 | offset = tempfile.ReadBinaryInt(8); 116 | Console.WriteLine(e.Name() + "\t" + "DiskSignature: " + Siginhex + "\t" + "VolumeByteOffsetStart: " + offset); 117 | } 118 | else { 119 | tempfile.SetCodePage(CodePageClass::UNICODE); 120 | tempfile.ReadString(USB); 121 | 122 | foreach (NameListClass n in prefixids){ 123 | //Console.WriteLine(n.Name()); 124 | if (USB.Contains(n.Name())){ 125 | uint index = n.Index(); 126 | String serial = USBserial.GetChild(index).Name(); 127 | postfix = "USB Device Serial#: " + serial + " was last assigned to this drive letter"; 128 | 129 | } 130 | } 131 | Console.WriteLine(e.Name() + "\t" + USB + "\t" + postfix); 132 | } 133 | } 134 | } 135 | } 136 | } 137 | 138 | void GetDevices1 (EntryClass &DeviceClass1){ 139 | Console.WriteLine("\n\n\n\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:\nType\tVendor\tProduct\tRevision\tSerial_Number\tDriver\tLast_Written_Date"); 140 | foreach (EntryClass e in DeviceClass1){ 141 | if (e.Name().Contains("USBSTOR")){ 142 | String name = e.Name().SubString(21, e.Name().GetLength() - 21); 143 | name.Replace("&Prod_", "\t"); 144 | name.Replace("&Rev_", "\t"); 145 | name.Replace("#","\t"); 146 | Console.WriteLine("Disk\t" + name + "\t" + e.Written().GetString(DateClass::SHOWTIME)); 147 | } 148 | 149 | //Console.WriteLine(e.Name()); 150 | } 151 | } 152 | 153 | void GetDevices2 (EntryClass &DeviceClass2){ 154 | Console.WriteLine("\n\n\n\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:\nType1\tType2\tSerial_Number\tSignaure\tOffset\tLength\tDriver\tLast_Written_Date"); 155 | foreach (EntryClass e in DeviceClass2){ 156 | 157 | 158 | String name = e.Name().SubString(4, e.Name().GetLength() - 4); 159 | if (name.Contains("IDE")){ 160 | name.Replace("#{", "\t\t\t\t"); 161 | name.Replace("#", "\t"); 162 | 163 | } 164 | else if (name.Contains("SCSI")){ 165 | name.Replace("#{", "\t\t\t\t"); 166 | name.Replace("#", "\t"); 167 | } 168 | else if (name.Contains("STORAGE#VOLUME")){ 169 | name.Replace("OFFSET", "\t"); 170 | name.Replace("#", "\t"); 171 | name.Replace("SIGNATURE", "\t"); 172 | name.Replace("LENGTH","\t"); 173 | } 174 | else if (name.Contains("STORAGE#Removable")){ 175 | name.Replace("RM#", "\t\t\t\t"); 176 | name.Replace("#", "\t"); 177 | } 178 | else if (name.Contains("USBSTOR")){ 179 | name.Replace("#{", "\t\t\t"); 180 | name.Replace("#", "\t"); 181 | } 182 | 183 | Console.WriteLine(name + "\t" + e.Written().GetString(DateClass::SHOWTIME)); 184 | 185 | } 186 | } 187 | 188 | void Main(CaseClass c) { 189 | SystemClass::ClearConsole(); 190 | forall (EntryClass entry in c.EntryRoot()){ 191 | if ((entry.FullPath().Contains("system32\\config") && !entry.FullPath().Contains("regback"))){ 192 | VolumeClass volume; 193 | if (entry.Name().Compare("SYSTEM") == 0){ 194 | //Console.WriteLine(entry.FullPath()); 195 | volume = entry.MountVolume(false); 196 | if (volume){ 197 | EntryClass Select, DefaultCC, MountedDevices, USBSTOR, DeviceClass1, DeviceClass2; 198 | GetRoots(volume, Select, DefaultCC, MountedDevices, USBSTOR, DeviceClass1, DeviceClass2); 199 | if (Select && DefaultCC && MountedDevices && USBSTOR && DeviceClass1 && DeviceClass2){ 200 | GetUSBSTOR (USBSTOR); 201 | GetDevices1(DeviceClass1); 202 | GetDevices2(DeviceClass2); 203 | GetMountedDevices(MountedDevices); 204 | } 205 | } 206 | } 207 | } 208 | } 209 | } 210 | } 211 | -------------------------------------------------------------------------------- /Unique domains from Records-Internet History.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Unique domains from Records-Internet History.EnPack -------------------------------------------------------------------------------- /User Groups from SAM_v6.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/User Groups from SAM_v6.EnPack -------------------------------------------------------------------------------- /User Profile Summary by File Extension in EXCEL.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/User Profile Summary by File Extension in EXCEL.EnPack -------------------------------------------------------------------------------- /Verify LEF Collection (v2.1).EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Verify LEF Collection (v2.1).EnPack -------------------------------------------------------------------------------- /VirusTotal Bookmark_v6.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/VirusTotal Bookmark_v6.EnPack -------------------------------------------------------------------------------- /Vista Firewall Settings.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Vista Firewall Settings.EnPack -------------------------------------------------------------------------------- /Vista VSS Info (draft).EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Preview/load a Windows Vista system in EnCase6. Select all the files in the "System Volume Information" folder 4 | that have a hexidecimal name (GUID). 5 | 6 | This EnScript searches each selected file for a HEX keyword (\x01\x10\x08\x00\xCC\xCC\xCC\xCC) 7 | that appears to be present in every 'record'. It then exports each valid record and bookmarks them for review. 8 | 9 | Exported files can then be zipped, rar'd or otherwise archived and sent to me at the email address below, 10 | after you review them for sensitive information. 11 | 12 | lance (at) forensickb.com 13 | 14 | */ 15 | 16 | 17 | 18 | class MainClass { 19 | SearchClass Search; 20 | BookmarkFolderClass Folder; // create a folder variable to later put bookmarks into 21 | 22 | MainClass() // constructor 23 | { 24 | Search = new SearchClass(); // create a new search onject 25 | } 26 | 27 | void Recurse (EntryClass entry, CaseClass &c){ 28 | EntryFileClass file(); // create a file I/O object 29 | forall(EntryClass e in entry) { // recurse each entry in EnCase 30 | if(e.IsSelected()) { // only proces files that are selected 31 | if(file.Open(e, EntryFileClass::SLACK || EntryFileClass::NOUNERASE)){ // open the file and prepare to search it 32 | if (Search.Create()){ // create search object with keywords 33 | SystemClass::StatusRange("Searching " + e.Name(), e.PhysicalSize()); // update status display 34 | if(Search.Find(file, -1, -1, SearchClass::STATUSUPDATE) > 0) { // search file 35 | SystemClass::StatusRange(Search.GetHits().Count() + " Hits Found, Processing Hits!", Search.GetHits().Count()); // update status display 36 | forall(SearchClass::HitClass h in Search.GetHits()) { // process each search hit found 37 | SystemClass::StatusInc(1); // increment the status display 38 | bool valid = ValidateHit(h, file); // validate the hit 39 | if (valid) { // only process those hits that appear to be valid based on the sanity check of the validate function below 40 | Bookmark(h, file, e); // call bookmark function to bookmark the hit 41 | Export(h, file, c, e); // call export function to export the hit 42 | Console.WriteLine(h.Offset() + " " + e.Name()); // write info to the console 43 | } 44 | } 45 | } 46 | else { 47 | Console.WriteLine(e.Name() + " did not contain any search hits!"); // write to the console if there were no hits in this file 48 | } 49 | } 50 | } 51 | } 52 | } 53 | } 54 | 55 | 56 | bool ValidateHit (SearchClass::HitClass &h, EntryFileClass &file){ 57 | /* 58 | This function validates the search hit by checking to see how bit the record in (length) and to see if there is a FILETIME value 59 | 40 bytes after the begining of the search hit. 60 | */ 61 | DateClass date; // create a date variable to hold the FILETIME value we are going to try and read 62 | file.Seek(h.Offset() + 8); // move to where the search hit is + 8 (skip over the search hit) 63 | uint length = file.ReadBinaryInt(8); // read the length field to see how big this record is 64 | file.Skip(24); // skip to where the FILETIME field normally is in the record 65 | file.ReadWinDate(date); // read 8 bytes and store them as a WIN32 FILETIME value 66 | if (date.IsValid() && length < 3000) // check to see if the value we stored is a valid date and just to make sure, check to see if the record length is smaller than 3000 bytes 67 | return true; // return true if above check is true 68 | else 69 | return false; // return false and skip this hit 70 | } 71 | 72 | void Export (SearchClass::HitClass &h, EntryFileClass &file, CaseClass &c, EntryClass &e){ 73 | /* 74 | This function exports the search hit out to your default export folder with a .dump extension 75 | */ 76 | LocalFileClass local(); // create a localfile variable 77 | file.Seek(h.Offset() + 8 ); // seek to the search hit + 8 (skip over the search hit) 78 | uint length = file.ReadBinaryInt(4); // read the length field to see how big this record is 79 | file.Seek(h.Offset()); //seek to where the search hit begins 80 | if (length > 5000) // sanity check to see if the search hit is larger than 500 bytes (never seen one this big) 81 | length = 5000; // if its larger than 5000, set the length to 500 so we dont end up exporting the entire drive if this is an invalid record 82 | if (local.Open(c.ExportFolder() + "\\" + e.Name() + " - " + h.Offset() + ".export", FileClass::WRITE)){ //create a local file using the local variable named the same as where the search hit was foubnd and the offset 83 | local.WriteBuffer(file, length + 16); //copy the record from the "file" variable to the "local" variable ( to a local file) 84 | } 85 | } 86 | 87 | 88 | void Bookmark (SearchClass::HitClass &h, EntryFileClass &file, EntryClass &e){ 89 | /* 90 | This function bookmarks the search hit and complete record for later review 91 | */ 92 | file.Seek(h.Offset() + 8 ); // seek to the search hit + 8 (skip over the search hit) 93 | uint length = file.ReadBinaryInt(4); // read the length field to see how big this record is 94 | if (length > 5000) // sanity check to see if the search hit is larger than 500 bytes (never seen one this big) 95 | length = 5000; // if its larger than 5000, set the length to 500 so we dont end up bookmarking the entire drive if this is an invalid record 96 | Folder.AddBookmark(e, h.Offset(), length + 16, "Restore Information", 0, BookmarkClass::HIGHASCII); // make the bookmark 97 | } 98 | 99 | void Main(CaseClass c) { 100 | SystemClass::ClearConsole(); // clear the console 101 | Search.AddKeyword("\\x01\\x10\\x08\\x00\\xCC\\xCC\\xCC\\xCC", KeywordClass::GREP); //add the keyword to locate the shadow record 102 | Folder = new BookmarkFolderClass(c.BookmarkRoot(), "System Restore Information"); // create a new bookmark folder to put bookmarks into 103 | Recurse(c.EntryRoot(), c); // call the recurse function and begin to recurse the file to see which ones we should search 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /Wireless SSID.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Wireless SSID.EnPack -------------------------------------------------------------------------------- /Wireless SSID.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | lance.mueller@gmail.com 3 | www.forensickb.com 4 | August 10, 2007 5 | 6 | */ 7 | 8 | class MainClass { 9 | void Main(CaseClass c) { 10 | SystemClass::ClearConsole(); 11 | forall (EntryClass entry in c.EntryRoot()){ 12 | if (entry.Name().Contains("software") && entry.FullPath().Contains("system32\\config")){ 13 | VolumeClass vol = entry.MountVolume(false); 14 | if (vol){ 15 | VolumeClass newvol = vol.FirstChild(); 16 | VolumeClass wzcsvc = newvol.Find("Microsoft\\WZCSVC\\Parameters\\Interfaces"); 17 | if (wzcsvc){ 18 | Console.WriteLine("SSID\t\t\tDATE\n--------------------"); 19 | forall (VolumeClass e in wzcsvc){ 20 | //Console.WriteLine(e.Name()); 21 | if (e.Name().Contains("Static")){ 22 | EntryFileClass file(); 23 | if (file.Open(e)){ 24 | file.SetCodePage(0); 25 | file.Seek(20); 26 | String name; 27 | DateClass date; 28 | 29 | file.ReadString(name,16,""); 30 | file.Seek(696); 31 | file.ReadWinDate(date); 32 | Console.WriteLine(name + "\t" + date.GetString(false)); 33 | } 34 | } 35 | } 36 | } 37 | } 38 | } 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /XOR a file or selection.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/XOR a file or selection.EnPack -------------------------------------------------------------------------------- /XOR all 255 possibilities of Selected file to Export folder.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/XOR all 255 possibilities of Selected file to Export folder.EnPack -------------------------------------------------------------------------------- /Yahoo Decoder in unallocated.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/Yahoo Decoder in unallocated.EnPack -------------------------------------------------------------------------------- /Yahoo Search for XOR strings.EnScript: -------------------------------------------------------------------------------- 1 | /* 2 | Search for Yahoo XOR String 3 | 4 | This EnScript searches *ONLY* those files which are blue checked. 5 | This EnScript takes a list of keywords and then performs an XOR with the XOR key and then enters the result as a 6 | keyword and searches the blue checked files. 7 | 8 | 02/17/05 - EnCase v4.20 9 | 10 | bruce.pixley@guidancesoftware.com 11 | lance.mueller@guidancesoftware.com 12 | 13 | */ 14 | 15 | 16 | 17 | class MyDialog: DialogClass { 18 | String Keywords, Key, Path; 19 | bool Check; 20 | 21 | StringEditClass _Edit, _Edit1, _Edit2; 22 | CheckBoxClass _Check; 23 | StaticTextClass _Static; 24 | 25 | MyDialog(): 26 | DialogClass(null, "Yahoo Chat XOR Keyword Search"), 27 | _Check(this, "Append extended header to search term?", 10, 280, 10, 10, 0, Check), 28 | _Static(this, " (may increase search time)", 45, 290, 50, 10, 0); 29 | _Edit(this, "Bookmark folder name:", 10, 10, 185, DEFAULT, 0, Path, 100, WindowClass::REQUIRED), 30 | _Edit1(this, "Enter the XOR key:", 10, 250, 185, DEFAULT, 0, Key, 20, WindowClass::REQUIRED), 31 | _Edit2(this, "Please enter any keywords you would like\nto search for: (one keyword per line)\n", 10, 40, 185, 180, 0, Keywords, 1000, WindowClass::REQUIRED) 32 | 33 | { 34 | //Constructor 35 | Path = "Yahoo XOR Chat keywords"; 36 | } 37 | 38 | virtual void CheckControls() { 39 | } 40 | 41 | virtual void ChildEvent(const EventClass &event) { 42 | } 43 | 44 | virtual bool CanClose() { 45 | return true; 46 | } 47 | } 48 | 49 | 50 | class MainClass { 51 | SearchClass search; 52 | BookmarkFolderClass Folder; 53 | MyDialog dialogbox; 54 | uint counter; 55 | NameListClass list; 56 | void Main(CaseClass case) { 57 | String keyword; 58 | long totalsize, searchedsize; 59 | User.ClearConsole(); 60 | if (dialogbox.Execute() == UserClass::OK) { 61 | list.Parse(dialogbox.Keywords, "\n" ,0); 62 | for (uint x = 0; x < list.Count(); x++) 63 | Console.WriteLine(list.GetChild(x).Name()); 64 | 65 | if (list().Count() > 0){ 66 | forall(EntryClass entry in case){ 67 | if (entry.IsSelected()){ 68 | totalsize = entry.LogicalSize(); 69 | } 70 | } 71 | User.StatusRange("Searching.......", totalsize); 72 | 73 | 74 | Folder = User.AddBookmarkFolder(dialogbox.Path, ""); 75 | forall(NameListClass keylist in list){ 76 | // Console.WriteLine(keylist.Name()); 77 | Xor(keylist.Name(), dialogbox.Key); 78 | keyword = keylist.Name(); 79 | } 80 | forall (EntryClass entry in case){ 81 | if (entry.IsSelected()){ 82 | FileClass file; 83 | if (file.Open(entry, true)){ 84 | do { 85 | uint length = 0; 86 | int result = file.Find(search, -1, length); 87 | searchedsize += file.GetPos(); 88 | User.StatusInc(searchedsize); 89 | if (result >= 0) 90 | Folder.AddBookmark(entry, file.GetPos(), length, "Keyword: " + list.GetChild(result).Name(), BookmarkClass::SHOWREPORT, BookmarkClass::LOWASCII); 91 | file.Skip(length); 92 | } while (result >=0); 93 | } 94 | } 95 | } 96 | } 97 | else 98 | User.Message(UserClass::ICONSTOP, "Error!", "You must enter at least one keyword for search!"); 99 | } 100 | } 101 | 102 | String GetHex(FileClass &file, int size) { 103 | String result; 104 | file.Skip(size-1); 105 | for (int i = 0; i < size ; i++) { 106 | int a = file.ReadInt(1); 107 | file.Skip(-2); 108 | for (int d = 1; d >= 0; d--) { 109 | char b = (a >> (d * 4)) & 15; 110 | b += b < 10 ? 48 : 55; 111 | result += b; 112 | } 113 | } 114 | file.Skip(size+1); 115 | return result; 116 | } 117 | 118 | void Xor (String keyword, String key){ 119 | FileClass plainkeyword, keyfile, cipheredkeyword; 120 | BufferClass buffer, 121 | hexConversion; 122 | String ciphered; 123 | 124 | long keylen, onekey, oneplain, onecipher, cipher, out; 125 | keylen = key.GetLength(); 126 | keyfile.OpenString(key); 127 | plainkeyword.OpenString(keyword); 128 | buffer.Create(1000); 129 | hexConversion.Create(10); 130 | for (uint x=0; x < keyword.GetLength(); x++){ 131 | onekey = keyfile.Get(); 132 | oneplain = plainkeyword.Get(); 133 | cipher = onekey ^ oneplain; 134 | hexConversion.Seek(0); 135 | hexConversion.WriteInt(1, false, cipher); 136 | hexConversion.Seek(0); 137 | buffer.Write("\\x" + GetHex(hexConversion, 1)); 138 | //Console.WriteLine(onekey + "\t\t\t\t" + oneplain + "\t\t\t\t" + cipher + "\t\t\t\t" + keyfile.GetPos()); 139 | if (keyfile.Peek() == FileClass::EOF) 140 | keyfile.Seek(0); 141 | } 142 | String searchterm; 143 | buffer.Seek(0); 144 | buffer.ReadUnicode(searchterm, buffer.GetSize(), 0); 145 | if (dialogbox.Check) 146 | searchterm = "[\\x00-\\xff]{4,4}[\\x00\\x06\\x20]{4,4}[\\x00\\x01\\x20]{4,4}[\\x00-\\xff]{4,4}" + searchterm; 147 | Console.WriteLine("search term is: " + searchterm); 148 | search.Add(searchterm,FileClass::GREP); 149 | } 150 | } -------------------------------------------------------------------------------- /bookmark_files_based_on_name.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/bookmark_files_based_on_name.EnPack -------------------------------------------------------------------------------- /encase_v7/compiled/EnCase_Enterprise_Find_Files_by_Hash_EnCase_v7_v1.0.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/encase_v7/compiled/EnCase_Enterprise_Find_Files_by_Hash_EnCase_v7_v1.0.EnPack -------------------------------------------------------------------------------- /encase_v7/compiled/Export based on condition - maintain original path.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/encase_v7/compiled/Export based on condition - maintain original path.EnPack -------------------------------------------------------------------------------- /encase_v7/compiled/Export by Extension_v7.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/encase_v7/compiled/Export by Extension_v7.EnPack -------------------------------------------------------------------------------- /encase_v7/compiled/Parse WIFI Profiles.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/encase_v7/compiled/Parse WIFI Profiles.EnPack -------------------------------------------------------------------------------- /evidence/README.md: -------------------------------------------------------------------------------- 1 | The DropBox link below contains the evidence files related to these forensic practicals: 2 | 3 | http://www.forensickb.com/2008/01/forensic-practical.html 4 | 5 | http://www.forensickb.com/2008/01/forensic-practical-2.html 6 | 7 | http://www.forensickb.com/2010/01/forensic-practical-exercise-3.html 8 | 9 | http://www.forensickb.com/2010/06/forensic-practical-exercise-4.html 10 | 11 | 12 | https://www.dropbox.com/sh/q0w7fy25qyltalh/AAD_VbL27cpa2bKuCtKaCuhaa?dl=0 13 | -------------------------------------------------------------------------------- /supporting_files/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /supporting_files/VT_Bookmark.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/supporting_files/VT_Bookmark.zip -------------------------------------------------------------------------------- /v5 Norton Quarantined Files.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/v5 Norton Quarantined Files.EnPack -------------------------------------------------------------------------------- /v5ObfuscatedRegistry-RecentApplications-ROT13.EnPack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lancemueller/EnCase-EnScripts/e444ba3e6801120fe0273c5849ad13df11765a2b/v5ObfuscatedRegistry-RecentApplications-ROT13.EnPack --------------------------------------------------------------------------------