SecureArtisan

My Road to Digital Forensics Excellence

My Files

Verify a Wiped Drive

This enscript can be used to verify that a device has been wiped according to the wiping pattern of your wiping program. For example, if you wipe the drive with the pattern “FF OO”, then a sector full of these two bytes will have a particular MD5 hash value. The enscript precalculates this value and then reads in data from your device, calculates the MD5 hash and compares it. Any differences are displayed in the console and bookmarked.

Produce five-field TLN output from a PST file

This enscript will create a file called PST_TLNFile.txt in your export folder container the TLN formatted timestamps of all non-folder items in a PST. Each mail item, for example, has four timestamps: created, sent, received and last modified. This enscript produces a TLN output file ready to be consumed by log2timeline.

Bookmark files based on a list of filenames

This enscript can be used to bookmark files by filename. The “Search Filenames” condition dialog is limited to about 20 files. If you have thousands of files, this enscript solves the problem for you. Lance Mueller has a similar enpack but unfortunately it didn’t work for me, and since it was enpacked I had to write my own.  As always the enscript is provided if you need to modify.

Casenotes – A Microsoft Onenote for Casework

This ZIP file contains my Notebook for tracking the details of a current case.

PE Extractor – Enscript

This enscript can be used to extract PE files from your case. Rather than blindly extracting the data with an arbitrary filesize, the enscript performs two validation tests to determine the length of the PE.

Cluster Boundary Search – Enscript

This enscript was designed to improve the file carving functions of Encase. Files are written to the hard drive starting at a cluster – so this enscript improves the performance of file carving by confining the file signature search to cluster boundaries. There are scenarios in which you still want to search every sector – but this enscript gives you the option of not having to.

System Restore Change Log Parser – Enscript

The change logs within the System Restore points contain valuable information when conducting timeline analysis. This enscript can be used to parse selected change logs – and works very well. Please be sure to read the source code for appropriate attribution.

BUP parsing – enscript

This enscript will parse the contents of a McAfee antivirus quarantine file. The enscript will bookmark the metadata of the quarantine file and also extract the binary for malware analysis. It has been coded to ignore all quarantined cookies.

Log2Timeline-Data Gathering

This enscript will traverse your evidence files and bookmark data based on Log2timeline input format. The investigator can then review the bookmark list, select those items to be exported, and ‘Tag Selected Items’. The files are then processed using Copy/Unerase, Copy Folders, or Create Logical Evidence File.

Blackberry IPD Parse

This enscript will parse any number of selected Blackberry IPD files (backup files) and bookmark their contents. This is currently v0.1, and will parse ONLY SMS Messages. As always, the code is provided, so please feel free to modify, inspect and comment. Simply select one or more IPD files in Encase and run the script. Bookmarks will be created with the content of the text message added as a NOTE to the bookmark.

3 Responses to “My Files”

  1. J. W. said

    Paul –

    I wanted to take a look at your Investigation Notebook but the zip file does not seem to be available on the website the link transfers me to. Would you be willing to provide it via e-mail?

    J.W.

  2. Paul Bobby said

    The files are now hosted on docs.google.com. Thanks.

  3. […] My Files […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: