EnCase and Python – Part 2

James Habben

In Part 1 of this post, I shared a method that lets you use Python scripts by configuring a file viewer in EnCase. We used Didier Stevens’ pdf-parser as an example. I also showed how EnScript could be used to greater effect by allowing us to capture the output of pdf-parser directly in a bookmark without having to manually copy and paste. Both of these techniques reduce effort by leveraging capabilities of both EnCase and the Python language.

In this post, I’ll take the same principles and apply them into an EnScript that provides a little more flexibility and functionality. Our goal is to have a GUI that gives you control over the exact functionality you want from the pdf-parser tool.

EnScript Method: Hard Mode

Here are the options displayed from pdf-parser:

Not only will we have a simple GUI to trigger pdf-parser, but this EnScript (sample code, no registration required) will also process all PDF files in the case instead of being limited to a single highlighted PDF file. Here is the GUI displayed at the start of this EnScript.

The part that makes this EnScript so much harder than the last post is the introduction of a dialog box to collect input. Unlike IDEs like Visual Studio, EnCase does not provide WYSIWYG capability to drag and drop UI controls. With EnScript, it’s all about typing the objects out, and laying them out by hand. Dialogs have to be coded as a custom class, and this brings a lot of scary demons out of the closets for many programmers. OOP! Object Oriented Programming. This one is pretty simple, though. Take a look:

I have a bunch of checkboxes that turn on options for pdf-parser. I created a global String variable named PyArgs to collect up all of these options that are desired. So here’s a little code block to put the desired options in. You’ll notice that the variables inside the if conditions match those referenced by the dialog in lines 18-23.

I mentioned that this EnScript is going to parse multiple PDF files, not just the highlighted one as we did in the last post. Here is where I use the ItemIteratorClass to obtain access to the files in the evidence file. Of course, I only want to process PDF files, so I filter those out.

Now, the function that runs the Python code. You should find it pretty familiar, that is, if you read the last post. It opens the file internally, and then copies the data out to a temporary external file for Python to access. I bumped the wait time up on line 105 since some of my larger PDF’s were taking longer than the one-second time I used previously. I added the CopyItemData() on line 107 because that will actually tie in the metadata of each PDF file with the bookmark that is created.

Give this one some time to run since it is going against all files in the case. The results should look like this, more or less depending on the options that you checked in the dialog.

Whether as an examiner downloading this as an EnScript to use in cases, or as an EnScripter looking to integrate more Python scripts with EnCase, I hope you found this useful. Let me know in the comments or on Twitter #en2py if there are topics you would like to see here.

James Habben

No comments :

Post a Comment