Tools

This script searches user-specified Mac OS X plaintext log-files for log-entries containing one or more keywords. Bzip2 and Gzip archives of each log-file will expanded and searched automatically. Matching logs are written to bookmarks and a tab-delimited spreadsheet file. The script can also be used with any other UTF-8 encoded log-files that have UNIX line-breaks.

This EnScript is designed to convert Microsoft Outlook *.olk14MsgSource and *.olk15MsgSource message-files to *.EML files that can be opened in a suitable application.

This script parses user-specified Mac OS X OpenBSM audit logs, which are usually found in the following folder -

This EnScript is designed to carve MP4, MOV, M4A and HEIC files.

This script parsers user-specified Mac OS X binary cookie files. Output is by way of bookmarks and a tab-delimited spreadsheet file.

This is a small utility that will decrypt the user-password for a user set to automatically log-in to a Mac OS X system.

By right clicking a file this EnScript compares the selected file to the VirusTotal and/or ThreatExpert databases and determines if it is malware. Results can be bookmarked. An internet connection is required.

This plugin has been designed as primarily as a classroom aid to assist in the examination of MFT records.

This script is designed to identify NTFS files/folders whose timestamps may have been adjusted, possibly to try and divert an examiner's attention from their presence.

Low Hanging Fruit Please extracts file name path and MD5 to a SQLite database that also contains an Item Moniker data for each entry. An EnCase Review Import File template is also created to allow tagging after external data analysis is completed.

Rearrange date and time information to build an informative timeline.

This EnScript creates a bookmark of the logon banner and logon screen. This information is sometimes needed as proof that there is no expectation of privacy.

This EnScript will search all tagged items for known.met record fragments from eMule 0.5. If these records are found it will parse the records and the output will be to a tab delimited file in the default case export folder for further analysis in Excel or other spreadsheet application.

This script is designed to parse shortcut-link streams as defined by the Microsoft [MS-SHLLINK] document specification, which was originally released in 2010.

This EnScript searches specified items for specified keywords.

JavaScript Object Notation (JSON) files are often used to transfer and/or store configuration data maintained by local and web-based applications.

Keyword search and proximity extract is designed to do Fuzzy string extraction by grouping relevant string fragments together from files such as the Pagefile where files contrain String and Unicode characters.

JPEGSnooper is a port of some of the functionality of the freeware application JPEGsnoop Version 1.5.2 by Calvin Hass and the JPEG metadata analysis functionality of Irfanview to EnCase. This script will analyze selected JPEG files cull present metadata from the file and display the decoded results in the console. Thus an examiner does not have to individually open each image file with an external file viewer such as Irfanview or JPEGSnooper to view the present metadata. Currently the script will process any valid JPEG image and present available metadata. Additionally it will provide manufacturer specific information for NIKON cameras. (This is additional information NIKON cameras will write sometimes to image files.) Additional support for other manufacturers will be in later updates.

This script allows the examiner to identify the ancestors of items listed in a given result-set.

This EnScript allows the users to tag a series of files and export them with the JPG file extension.