Clik here to view.
EnScript to create EnCase v7 hash set from text file
It has been nearly seven years since I posted an EnScript to import hash values from a text file and create a EnCase v6 hash set. That EnScript still remains popular to this day.The EnScript linked...
View ArticleClik here to view.
EnCase EnScript to parse out the VS_VERSION_INFO resource in executables
I wrote this EnScript awhile ago in order to quickly parse out the string resources inside an executable to assist in determining if it was suspicious.Most executables contain a resource known as...
View ArticleClik here to view.
Understanding a Hyper-V server when doing Forensics
Hyper-V is Microsoft's visualization server software. It is very similar to VMware in that it provides a host allowing you to run several 'guest' machines on a single piece of hardware.When doing...
View ArticleClik here to view.
EnCase v7 EnScript to parse USNJRNL
It's hard to believe its been almost six years since I wrote the original EnCase v6  EnScript to parse the $USNJRNL file for Windows XP (when enabled), just as Vista was hitting the scene. Here is the...
View ArticleClik here to view.
EnCase EnScript to search for and parse prefetch files in unallocated
Carlos Cajigas and I were recently having dinner and talking over some EnScript ideas. He recommended an EnScript to search for prefetch data in unallocated and then if found, to parse it for some...
View ArticleClik here to view.
EnCase EnScript to parse wireless network information for Vista, 7 & 8
This EnScript is an update to one I did several years ago for extracting wireless network information on Windows XPÂ systems.This EnScript supports Windows Vista, Windows 7 & 8. When run, it will...
View ArticleClik here to view.
*Updated* - EnCase EnScript to parse wireless network information for Vista,...
I updated the original v6 & v7 EnScripts to now include the date the access point was first connected and the date it was last connected to:Â Download EnCase v6 hereDownload EnCase v7 here
View ArticleClik here to view.
EnCase EnScript to parse & display recent RDP sessions from user's NTUSER.DAT
This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user.The EnScript checks the Software\Microsoft\Terminal Server Client\Default for...
View ArticleClik here to view.
EnCase EnScript to parse each NTUSER.DAT for RecentDocs
This EnScript is another "quick hit" to parse out all the recently accessed files recorded in the user's NTUSER.DAT.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsWhen...
View ArticleClik here to view.
EnCase EnScript to show file summary of user's profile by extension
This is another "quick hit" EnScript to generate a quick report on the types of files under a user's profile based on file extensions. The EnScript will automatically create an Excel spreadsheet, with...
View ArticleClik here to view.
EnCase v7 EnScript to quickly provide MD5/SHA1 hash values and entropy of...
I recently had the need to quickly triage and hash several specific files within a case, but I did not want to (or possibly could not) run the "process evidence" option to generate hash values for...
View ArticleEnCase v7 EnScript to find files based on MD5 hash values
I had written a version of this years ago for EnCase v6 and I was recently asked to update it for EnCase v7.One EnScript listed below will generate a text files of SELECTED files. That text file can...
View ArticleEnCase v7 EnScript to report on file types by extension
Several years ago I wrote a quick EnScript to produce a quick report of how many files with each extension were found in the case. That EnScript was originally written for EnCase v6 and not compiled so...
View ArticleEnCase v7 EnScript to carve RecentFileCache.bcf data from selected file(s)
The following EnScript can be used to quickly search for and parse RecentFileCache data from memory images, unallocated space or the allocated RecentFileCache.bcf file.To use, simple blue check...
View ArticleClik here to view.
EnCase v7 EnScript to Parse PST Email Metadata to Excel
A friend recently asked me for an easy way to export some of the common metadata from a PST file within EnCase. You can easily export data from the records view and even include columns that are not...
View ArticleClik here to view.
EnCase v7 EnScript to create LEF based on condition
A reader recently asked if I could create an EnScript that would create a LEF based on a condition. Unfortunately, the reader wanted to use it with the free EnCase Imager program, which does not...
View ArticleClik here to view.
CEIC 2015 - EnScripting for EnVestigators
Below is a link to the slides from my presentation at CEIC 2015, as well as some example EnScripts.PPT slides Example EnScripts
View ArticleClik here to view.
EnCase v7 EnScript to check files to VirusTotal - Updated
In October 2013, I wrote an EnScript that checked files that are tagged with the "VirusTotal" tag to VirusTotal. That original EnScript simply calculated the hash value of the tagged files and then...
View ArticleClik here to view.
EnCase EnScript to find files on remote systems by MD5 hash - GO FETCH!
I have had a few recent requests for an EnCase Enterprise EnScript to help find files on remote systems. The following EnScript accepts a plain text file (ASCII or Unicode) that contains MD5 hash...
View ArticleClik here to view.
EnCase v7 EnScript to export files by extention
This is an updated version of an EnScript I wrote in 2009 to export files in a case based on file extensions. The original description & EnScript is here.This version was rewritten for EnCase v7...
View ArticleClik here to view.
EnCase v7 EnScript to export files based on condition and maintain original...
A reader asked if it was possible to automate the export of files based on extension and then also maintain the original file path once they are exported.This is certainly possible, but there are some...
View ArticleClik here to view.
EnCase v7 EnScript to parse WiFi/Network Profiles
This is an updated EnCase v7 EnScript to parse the WiFi profiles that may exist on Windows 7/8/10 system in the following locations:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows...
View ArticleEnScripts Currently Offline - being moved
All the EnScripts are currently unavailable while I move them to a different storage location. May of the old links will be broken, please just email me and I will provide an updated link and/or email...
View ArticleClik here to view.
EnCase v8 EnScript - Check executables to VirusTotal
I have updated the EnScript to send hash values for all executable/DLLs to VirusTotal for analysis. This version works in EnCase v8 and the source code is included for customization. You must provide...
View ArticleClik here to view.
EnCase v8 EnScript - Check hash values for tagged files to VirusTotal
This is an update to the original (v6 & v7) EnScript to check the hash value(s) of tagged files to VirusTotal.Tag any file(s) you want to check with "Check VT":Run the EnScript and provide either a...
View Article