Tools

Quickly make bookmark folders for each device in your case. Automate making bookmark folders and subfolders for each device in your case. Along with bookmarking each device and each volume in the case. User configurable subfolders.

Allows the examiner to quickly view data in the highlighted Registry file.

The script is designed to quickly decode Base64-encoded data.

This script is designed to find deleted prefetch files in both compressed and uncompressed formats.

Print Spool - Parse Data From SHD and SPL Files (V1.3.1)

This EnScript is designed to parse the prefetch files created by the MS Windows Task Scheduler service.  Windows XP to Windows 10 file formats are supported. It's worth noting that Windows 10 prefetch files are compressed using the Xpress+Huffman compression algorithm.

This is an XML and binary property list viewer plugin EnScript.

This EnScript is designed to be run before the Evidence Processor. This EnScript does three things:

This EnScript decodes binary and XML plist files that are extensively used by Apple computer software and hardware to store configuration data.

EnScript to extract & display information about wireless networks that have been connected to. Supports analysis of Windows Vista, 7 & 8.

This EnCase EnScript was written to parse the Vista/7 'setupapi.dev.log' for USB events. This log contains a lot of information about hardware events, including when USB devices are attached and can be useful to compare to file metadata to see what filesystem activity was also happening at the same time as when USB devices were connected.

This EnScript was designed as a "quick hit" to parse and show the MRU values for the Terminal server client for each user. The EnScript checks the Software\Microsoft\Terminal Server Client\Default for each NTUSER.DAT and displays/bookmarks any values.

Parses the original path, logical size, and date-deleted information from $I $Recycle.Bin files.

Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise. The information in this resource is what is displayed if/when you right-click on an executable in Windows and choose the "details" tab. Looking at this information, while not authoritative or definitive, can commonly give you some initial hints about the legitimacy of a file and/or if it has been renamed from when it was originally compiled. The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark).

This script will parse single or multiple selected .exe files and provide all information encoded into the PE (COFF) header such as compile date, characteristics, and entry points (RVA). You can also run this script on a memory dump or unallocated space and it will locate and parse found PE headers as well across the whole of the searched space. It provides the offset to the PE header found as well as all information encoded into header.

This script is designed to locate and recover deleted OST and PST files.

This script is designed to find deleted PDF files using the header, '%PDF-#.#' (GREP), and the footer, '%%EOF'.

The Old School Search Hit Viewer will display search hits in a table; the hits are highlighted with a user-specified amount of context visible around the search hit. Multiple items and multiple search terms may be displayed in the same table.

This script is designed to read metadata from versions of MS Office documents prior to Office 2007 (doc, xls, etc.)

TRIAL VERSION - Extend your EnCase evidence review reach with advanced corrupted file repair functionality by OfficeRecovery.