From time to time, I write scripts, programs and whitepapers. These are free to share and use. They were all developed to make the job of the forensic analyst a lot easier. 

The mac_apt project (macOS artifact parsing tool) is available on GitHub here.

All other mac (osx) related scripts are available hereAll newer code is on GitHub, but older projects are hosted here below. 

File Description
IE RecoveryStore Travel Log Spec IE RecoveryStore & Travel Log Format Specification document
IE Travelog Parser
IE Travelog Parser_v7 (for Encase7.02)
EnScript to extract data from Internet Explorer Travelog and RecoveryStore files. Read more about this artifact in my posts here and here.
Hex Decoder Enscript GUI based EnScript for decoding hex to ascii. Read details here.
NTFS Forensics Presentation Presentation on NTFS Forensics for the open security group "null"
Parse XP System Restore change logs - Enscript code Enscript code for parsing XP System Restore change logs. This file is part of Enscript tutorial 1
Add Folder, Drive or Volume Shadow Copy to LEF Enscript (compiled in 6.19) that allows you to add any folder, drive or Volume Shadow Copy to an L01. Read the post here
Prefetch Parser Enscript
Prefetch Parser for v7
Enscript (compiled in 6.19 and 7.02) that processes application run data from the Prefetch (.pf) files. Script updated for windows 8 pf files. Read the post here
Amcache Parser Enscript
Amcache Parser for v7
Enscripts (compiled in 6.19 and 7.02) that process application run data from the Amcache.hve file (windows 8). Read the post here
SRUM Parser Enscript Enscripts (code for 6.19 and 7.02) that processes SRUM data (windows 8 & 10).


In the past too, I have written many forensics scripts and utilities. These are available as an all in one consolidated zip file downloadable from 42 LLC here.

I have included a description for these files below. Some of the scripts / programs are not exactly self explanatory and need some instructions to run properly. Unfortunately these are not available as my older blog entries are no longer online. Feel free to contact me in case you really need something to work.

Apple iPhone Backup Extractor/Parser.Enscript
Extract files into their proper folder structure from an iPhone backup
Bag Parser.Enscript & 
Shell Bag Parser.Enscript
Shell bag entries from the registry are decoded by this script. Both scripts give same functionality (one is newer with better output)
CSC Parser.Enscript
Rebuilds XP Client side cache (CSC) from an XP machine and exports files as native or into a Logical Evidence File
Google Desktop Search (GDS) Metadata Extractor.Enscript
Extracts information about files stored in Google desktop search's index database
GDS Index Data Extractor.Enscript
Extracts files stored in Google desktop search's index database (Windows Search Index Data Extractor)
Extract textual data and metadata from the index database of Windows Search
INDX Extractor.Enscript
Finds deleted file information (metadata) by reconstructing deleted INDX buffer records in NTFS volumes
IPD Extractor.Enscript
Extracts data from blackberry backup files, aka IPD files
Webmail Extractor.Enscript
Extracts mail listings from web pages, memory, page files or unallocated space for email for Gmail, Yahoo mail and Live mail (hotmail)
Command Line
This contains a script and DLL which enables enscript to read command line arguments from encase, thus creating the ability to launch encase with a custom script and custom command line arguments for that script
Get Profile
This is a demo example that uses the above mentioned DLL to create a profile list from a drive by registering a command on the shell right click menu
Parses prefetch (.PF) files, also includes the algorithm for verification of hash which is seen in the .PF filename.
A small program that allows resetting the password on an E01 evidence file. This is very quick operation as only a few bytes in the header are rewritten.
Verify Evidence
Uses the command line DLL and adds a ‘verify’ option for E01 files on the explorer right click menu


  1. Can you post a link to the archive file on the old 42LLC site that works? The one the url points to for your old stuff archive doesn't work.


  2. Great stuff - thanks so much for posting!

  3. I have a question regarding the parsing of the OLE Timestamp that you use in your SRUM parser EnScript. What is the actual value you use as input for the conversion? I'm trying to do the same thing in python, but I keep getting struct errors. Probably because I'm formatting the input incorrectly.