My Road to Digital Forensics Excellence

Archive for the ‘EnCase’ Category

Enscript – Bookmarking files

Posted by Paul Bobby on July 23, 2010

I’ve uploaded a new enscript to my blog (see the My Files section). This script allows you to bookmark any number of files based on an input text file. This text file contains one filename per line.

Lance Mueller has a similar enscript here, but it didn’t work for me and was enpacked. So I wrote my own. Which is not always a bad thing to do anyway 🙂


Posted in EnCase | Tagged: | Leave a Comment »

Blackberry IPD Files

Posted by Paul Bobby on May 6, 2010

I have added a new enscript to the “My Files” page that can partially parse a Blackberry IPD file. The great tool, ABC Amber Blackberry Converter, does a fantastic job, and for the price, can’t be beat. But I found the format of the IPD file at the website, so why not give it a go in Enscript?

It’s an interesting structure in that the entire file must be processed before any data can be retrieved. Each component of the IPD file is called a database. For example, SMS text messages are stored in the “SMS Messages” database, but there is no pointer to the start of the data, and so the initial list of databases must be parsed, followed by each individual database until you get to the start of the SMS Messages. Blackberry indicates that they are okay with this inefficient processing during both creation and reading of the file since it is designed as a backup method only and not a real-time data store.

The enscript, in its current form, will only parse the contents of the SMS Messages database. There are some unknowns which I have yet to figure out, namely:

1. How do I get the timestamp information for the SMS Message?
2. What are all the Field Types?

I believe the timestamp is encoded somehow in one of the Fields of the database.

Posted in EnCase | Tagged: | 3 Comments »


Posted by Paul Bobby on March 22, 2010

I have completed my Enscript for identifying and bookmarking data sources that can be parsed with Log2Timeline. The Enscript can be downloaded here.

Some limitations:

  1. No EXIF file gathering. The Exiftool can process a large number of files, and even when limiting the collection to JPG, the enscript method of identifying and verifying the presence of EXIF data is time consuming. The recommendation is to run EXIF Parser under Case Processor, and use the bookmarks generated to supplement your data collection.
  2. IIS W3C log files are not searched for
  3. Opera history files are not searched for
  4. ISA text export files are not searched for
  5. PCAP files are not searched for
  6. The XP Firewall log is not searched for.

The enscript, as always, is available as an enscript and not Enpacked, so feel free to modify if you need to add the above formats.

Once the potential data sources are identified and bookmarked, the analyst should manually review each item prior to export. Selecting the bookmark and using Tag Selected Items will ensure the files are tagged under the Entries view. From that point you can Copy/Unerase, Copy Folders, or even create a Logical Evidence File. The easiest method is to use Copy/Unerase and then point Timescanner at that folder.

Posted in EnCase, Forensics | 2 Comments »

Enscript treat – dynamic signature checking

Posted by Paul Bobby on March 19, 2010

For a while, Enscript writers did not have access to Signature checking mechanisms from within the Enscript framework. One was required to kick off a signature analysis first, then run your script against predetermined signature criteria. This restriction was lifted for version 6, and when writing my Log2timeline enscript, I discovered that the example code to generate this type of dynamic signature check, was incorrect.

Here is the correct code. If you would like to test it, add some evidence to your case and manually select several ZIP files and several non-ZIP files. Then run the script. The Console will show which ones have valid ZIP signatures based on the magic and file extension. This sample code will be used within my Log2timeline enscript as a means to verifying input data prior to bookmarking.

   1: class MainClass {

   2:   void Main(CaseClass c) {

   3:     SearchClass search();

   4:     SearchClass::SigClass sig();

   5:     uint sigOptions = SearchClass::CHECKSIG;

   6:     String fileSigStr;


   8:     FileSignatureClass myFileSignatureTree();

   9:     FileTypeClass myFileTypeTree();


  11:     FileSignatureClass fileSig();

  12:     fileSig.SetExpression("\\x50\\x4B\\x03\\x04");

  13:     myFileSignatureTree.Insert(fileSig, NodeClass::INSERTLAST,myFileSignatureTree.FirstChild());


  15:     FileTypeClass fileType();    

  16:     fileType.SetExtensions("ZIP");

  17:     myFileTypeTree.Insert(fileType, NodeClass::INSERTLAST, myFileTypeTree.FirstChild());


  19:     forall (EntryClass e1 in c.EntryRoot()) {

  20:      if (e1.IsSelected()) { // For testing, select several ZIP files and non-zip files

  21:       if (search.Create(myFileSignatureTree, myFileTypeTree)) {

  22:         search.CheckSignature(e1, sig, sigOptions);

  23:         fileSigStr = SearchClass::SigClass::Types::SourceText(sig.Type());

  24:         if (fileSigStr.Compare("MATCH") == 0)

  25:           Console.WriteLine("Signature Match: " + e1.FullPath());

  26:         else

  27:           Console.WriteLine("Bad Signature for file: " + e1.FullPath());

  28:       }

  29:      }

  30:     }

  31:   }

  32: }

Posted in EnCase | 3 Comments »