Friday, December 30, 2011

EnScript Resources

Every once in a while I get a query about EnScript programming, specifically if there are any books or online material available for it. So I have listed out a few good links to sites that have tutorials for EnScript that should get you started. Additionally keep watching this space and I will keep posting material (samples, tutorials) here too.

Resource 1: Lance Mueller’s now closed site (it’s still online but no more updates/comments will be posted)

Resource 2: My good friend Jon Stewart’s blog

Interestingly Lance is not a programmer and Jon on the other hand is a hardcore programmer. And I have had the pleasure of working with both these fine gentlemen for a number of years and they’ve done some excellent work with scripts.

There are some other people too that have posted EnScripts or Enpacks for free, these sites do not have any tutorials.

42 LLC's blog
Geoff Black's Forensic Gremlins
Takahiro Haruyama's blog - Most of the site is in Japanese but easy to follow
Paul Bobby's blog

In addition, the guidance portal too has some publicly submitted scripts, but it is not an open forum.

If you are wondering what the heck EnScript is, it is a programming language with an API into Encase’s functionality; Encase is the most widely used commercial forensic tool and EnScript cannot be compiled or run without Encase.

Saturday, December 3, 2011

Hex Decoder Enscript

A simple hex decoder in an enscript GUI. Although nothing new as there are many such hex-ascii decoders available on the internet, this serves as an example of a simple enscript with a GUI that does something useful. I use it to unobfuscate and decode SQL injection strings and URLs.

Download here

Screenshot of Hex Decoder Enscript

Thursday, December 1, 2011

Travelog Parser Script

The IE Travelog parser enscript is now available for download here!

I have parsed out all information within the <GUID>.DAT files. This is displayed in the GUI when the program is run. While not everything can be exported out into a flat list because it is really a tree structure within another tree structure, and also lots of the information contained is duplicated (redundant). The complete output is in the console, where you also get data from the RecoveryStore.DAT files.

Screenshot of Script output
Update: 1 Jan 2012 - Small bug fix, version now shown in script as 0.7 Beta.