Verify a Wiped Drive
This enscript can be used to verify that a device has been wiped according to the wiping pattern of your wiping program. For example, if you wipe the drive with the pattern “FF OO”, then a sector full of these two bytes will have a particular MD5 hash value. The enscript precalculates this value and then reads in data from your device, calculates the MD5 hash and compares it. Any differences are displayed in the console and bookmarked.
Produce five-field TLN output from a PST file
This enscript will create a file called PST_TLNFile.txt in your export folder container the TLN formatted timestamps of all non-folder items in a PST. Each mail item, for example, has four timestamps: created, sent, received and last modified. This enscript produces a TLN output file ready to be consumed by log2timeline.
Bookmark files based on a list of filenames
This enscript can be used to bookmark files by filename. The “Search Filenames” condition dialog is limited to about 20 files. If you have thousands of files, this enscript solves the problem for you. Lance Mueller has a similar enpack but unfortunately it didn’t work for me, and since it was enpacked I had to write my own. As always the enscript is provided if you need to modify.
Casenotes – A Microsoft Onenote for Casework
This ZIP file contains my Notebook for tracking the details of a current case.
PE Extractor – Enscript
This enscript can be used to extract PE files from your case. Rather than blindly extracting the data with an arbitrary filesize, the enscript performs two validation tests to determine the length of the PE.
Cluster Boundary Search – Enscript
This enscript was designed to improve the file carving functions of Encase. Files are written to the hard drive starting at a cluster – so this enscript improves the performance of file carving by confining the file signature search to cluster boundaries. There are scenarios in which you still want to search every sector – but this enscript gives you the option of not having to.
System Restore Change Log Parser – Enscript
The change logs within the System Restore points contain valuable information when conducting timeline analysis. This enscript can be used to parse selected change logs – and works very well. Please be sure to read the source code for appropriate attribution.
BUP parsing – enscript
This enscript will parse the contents of a McAfee antivirus quarantine file. The enscript will bookmark the metadata of the quarantine file and also extract the binary for malware analysis. It has been coded to ignore all quarantined cookies.
This enscript will traverse your evidence files and bookmark data based on Log2timeline input format. The investigator can then review the bookmark list, select those items to be exported, and ‘Tag Selected Items’. The files are then processed using Copy/Unerase, Copy Folders, or Create Logical Evidence File.
Blackberry IPD Parse
This enscript will parse any number of selected Blackberry IPD files (backup files) and bookmark their contents. This is currently v0.1, and will parse ONLY SMS Messages. As always, the code is provided, so please feel free to modify, inspect and comment. Simply select one or more IPD files in Encase and run the script. Bookmarks will be created with the content of the text message added as a NOTE to the bookmark.