Tools

641 results - showing 261 - 280
« 1 ... 9 10 11 12 13 14 15 16 17 18 ... »

Tools

License Type
Free
Developer
Guidance/OpenText

Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise. The information in this resource is what is displayed if/when you right-click on an executable in Windows and choose the "details" tab. Looking at this information, while not authoritative or definitive, can commonly give you some initial hints about the legitimacy of a file and/or if it has been renamed from when it was originally compiled. The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark).

Tools

License Type
Free
Developer
Guidance/OpenText

This script will parse single or multiple selected .exe files and provide all information encoded into the PE (COFF) header such as compile date, characteristics, and entry points (RVA). You can also run this script on a memory dump or unallocated space and it will locate and parse found PE headers as well across the whole of the searched space. It provides the offset to the PE header found as well as all information encoded into header.

Tools

License Type
Free
Developer
Guidance/OpenText

This script is designed to locate and recover deleted OST and PST files.

Tools

License Type
Free
Developer
Guidance/OpenText

This script is designed to find deleted PDF files using the header, '%PDF-#.#' (GREP), and the footer, '%%EOF'.

Tools

License Type
Free
Developer
Guidance/OpenText

The Old School Search Hit Viewer will display search hits in a table; the hits are highlighted with a user-specified amount of context visible around the search hit. Multiple items and multiple search terms may be displayed in the same table.

Tools

License Type
Free
Developer
Guidance/OpenText

This script is designed to read metadata from versions of MS Office documents prior to Office 2007 (doc, xls, etc.)

Tools

License Type
Free
Developer
Guidance/OpenText

TRIAL VERSION - Extend your EnCase evidence review reach with advanced corrupted file repair functionality by OfficeRecovery.

Tools

License Type
Free
Developer
Guidance/OpenText

This script reads XML-based metadata from entries in the current case that are identified as Office 2007 documents by way of file-extension. The script supports both Microsoft Office Open XML and OpenDocument formats, both of which are a collection of zipped XML-files.

Tools

License Type
Free
Developer
Guidance/OpenText

This plugin provides an interface to the NirSoft ESEDatabaseView executable so as to provide centralized reporting of Extensible Storage Engine (ESE, aka Jet Blue) databases through the use of bookmarks. The plugin requires the NirSoft ESE Database Viewer, which can be downloaded from :

Tools

License Type
Free
Developer
Guidance/OpenText

This script will parse out SMS from a Nokia Lumia 610 mobile phone binary dump. Binary dumps can be obtained from JTAG process or chip off. Known limitation: Messages truncated to 10,000 characters max. Read Incoming and Sent messages are parsed. Read all unread messages before acquiring binary dump. Output as bookmark folder and *.tsv file.

Tools

License Type
Free
Developer
Guidance/OpenText

This script parses USN_RECORD_V2 change-journal records contained in the $J data stream of the NTFS $UsnJrnl file. It can also search for, and decode, USN_RECORD_V2 records in $LogFile and unallocated clusters.

Tools

License Type
Free
Developer
Guidance/OpenText

This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.

Tools

License Type
Free
Developer
Guidance/OpenText

This script is designed to parse the contents of NTFS index buffers.

Tools

License Type
Free
Developer
Guidance/OpenText

NETSH Packet Capture allows network traffic sniffing on Microsoft Windows 7 and newer machines using natively installed NETSH with an EnCase Servlet that has Remediation enabled. Launch the EnScript as no case is necessary and log into your SAFE which will determine if the Remediation flag is enabled and if you have permission to use this feature. Once that is done, you can click the Sniff button to run your NETSH commands on the remote system using the IP that was provide. All results are displayed in the Console View of EnCase after the completion of the command execution. At this point click Cancel to leave NETSH running otherwise set the Export Folder for where the Logical Evidence File should be saved. Also you will want to make sure you stop the packet capture prior to clicking OK as this initiates the file collection based on the default logical file names NetTrace.etl and NetTrace.cab. Microsoft Message Analyzer can be used to review the data or to extract the PCAP contents for review using Wire Shark, Network Miner, Xplico, or etc. Microsoft Message Analyzer Download: http://www.microsoft.com/en-us/download/details.aspx?id=40308 This app was developed by instructors in support of the Guidance Software Professional Development and Training Course offerings. For more information about its use and investigative context, attend one of the following courses: Enterprise Examinations, Host Intrusion Methodology and Investigation, or Cybersecurity and Analytics.

Tools

License Type
Free
Developer
Guidance/OpenText

This is an update to a previously submitted (and approved) EnScript that parses all Windows, OSX and Linux memory images. This update fixes an issue that ocurred when a user attempted to use the script against an evidence file (.E01). There are no other changes to the script.

Tools

License Type
Free
Developer
Guidance/OpenText

Microsoft Word Autosave Document (ASD) files have the Compound File Binary File Format [MS-CFB] file-structure.

Tools

License Type
Free
Developer
Guidance/OpenText

A script to search for protocol fragments of MSN Messenger (or MSN Live Messenger) chat. The message containing the chat is extracted and placed (where possible) into relevant bookmark folders. These protocol messages are NOT fragments of chat logs they are the remains of the actual MSN protocol messages as they appear the Internet. In many cases these exist on a machine even where chat logging has been disabled. The script was developed in conjuction with the publication of this paper: http://computerforensics.parsonage.co.uk/downloads/MSNandLiveMessengerArtefactsOfConversations.pdf

Tools

License Type
Free
Developer
Guidance/OpenText

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams. Bookmark Formats for reporting purposes are provided and tailored to each individual type of data. Includes over 80 pre-defined Bookmark Folders for commonly encountered artifacts, broken down into detailed categories like File Sharing Clients, Malware Analysis, Social Networking, Browsers and more.

Tools

License Type
Free
Developer
Guidance/OpenText

This EnScript allows the examiner to tag the items of interest. The EnScript will export a tab- delimited CSV file with the name MD5 hash value and logical size of the selected tags. This information can be used to create a condition using the logical size and hash value to search other systems for a matching file.

Tools

License Type
Free
Developer
Guidance/OpenText

This script is designed to locate one or more files from a known set. It works with records as well as entries.

641 results - showing 261 - 280
« 1 ... 9 10 11 12 13 14 15 16 17 18 ... »