Part 2 - So much evidence, so many artifacts, so little time…

Ken Mizota

In my last post, I summarized a handful of apps that are useful to search and explore your case, and apps that help with malware investigations. For latest updates on apps go to EnCase App central directly, or follow us on twitter @EnCase.

Without further ado, here are some more apps that we hope can help you make your case:

Apps to parse and analyze artifacts


Ares Dat File Decryptor: Decrypt data from .dat files used by the Ares P2P file trading program.

Mac OS X QuickLook Thumbcache Parser: Find thumbnail evidence you were missing in OS X. Cover flow leaves behind tracks!

Mac OS X Autologin Password Decoder: We have a really excellent overview of decrypting OS X user and system keychains, and this app is part of that workflow.

Plist Viewer Plugin: Right click, view binary and XML OS X/iOS property lists.

Facebook MSG Finder: Carves for artifacts left behind by Facebook Messages and creates a detailed report.

Office 2007 Metadata Parser: Parse XML-based office documents such as docx, pptx, xlsx, etc. This plugin allows you to view and bookmark your findings within EnCase.

RegRipper Launcher: Why didn’t someone think of this earlier? Pipeline EnCase evidence ito RegRipper in two clicks. Output is stored in bookmarks for easy inclusion in reports.

iOS iTunes Backup Extraction: Sometimes a smartphone investigation starts off with a backup on a hard drive. This app finds iTunes backups so they may be acquired and analyzed using EnCase.

SQLiteQuery: Query SQLite databases directly from evidence in EnCase.

Skype Chatsync IP Addresses: Parse the proprietary Skype “chatsync” file, containing user names, IP addresses and more.

Apps to simplify the investigation


Timezone Info Prior to Processing: Saves time by pulling the timezone from the System Registry Hive of Windows machines and informing the investigator of the appropriate timezone to use.

Last Folder Plugin: Automatically open Windows Explorer through this plugin to show the current case’s Export folder. Useful when frequently reviewing contents of exported files.

Evidence File Converter: Converts selected EnCase evidence files to bitstream, dd-type disk images.

Drive Space Audit: Provides a quick report of all drive space of all devices in the case.

Unmount Compound File: Sometimes you want to try a different password for a mounted compound file, or just get rid of unwanted items.

EnScript Finder: Now that you have all of these apps, do you know how to find them? This app helps you easily locate apps stored in multiple locations.

SysTools Outlook Exporter: An investigator may have a need to export emails to PST format, but perhaps does not a license of Microsoft Outlook, which is often required by many tools. This app enables export to PST with no requirement for Outlook.

Inventory: Hashes an entire directory, and will parse EnCase Case files for reporting and evidence storage purposes.

What’s New In App Central: If you spend a lot of time investigating, but not much time surfing EnCase App Central, this app grabs a list of new apps from EnCase App Central since the last time you checked.

Let me know what you think in the comments below.

No comments :

Post a Comment