ThinkTank Forensics

I recently released an EnScript that exports files based on extension, you can see the original post and EnScript here.

Based on a request from Timothy LaTulippe & Dave Kleiman. I have made two modifications. There is now a version that maintains the original timestamps of the exported files. The second version maintains the timestamps and the original export path.

You can download them here:
Export file based on extension & Maintain TimeStamps
Export file based on extension & Maintain TimeStamps & Original Path

A few months ago I posted an EnScript and some information about a project by Sgt. Glenn Lang of the Maine Sate Police. You kind find the original post here and EnScript.

Sgt. Lang asked me to post the following message:
----------------------------------------------------------------
Flint Waters and the folks at the Wyoming ICAC have tied our Harvester into their Tool Kit.

Its only been active for a short time, but it has already generated over 40,000 key words to be used in searching for contraband on suspect media.

While I am culling the key words into usable lists I have created a new one from the big list with 265 grep key words that are from some of the most frequently seen CP movies.

If you are interested in this list send me an e-mail and indicate where you are from.

All other items related to this project can be downloaded here:

http://www.mcctf.org/membersonly.htm
User: Guest2
Password: HasHerGL (it is case sensitive)

Sgt. Glenn Lang
Supervisor / ICAC Commander
Maine State Police Computer Crimes Unit
15 Oak Grove Rd. Vassalboro, Maine 04989
Phone (207) 877-8081
Fax (207) 877-8091
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
----------------------------------------------------------------

The Top 265 hex keywords are posted here

On a request from a person I consider a friend and whom I have learned a lot from, Pat Lim, I created this EnScript to help parse OSX email messages.

EnCase can parse many different types of emails, but unfortunately emails in the native "mail" application in OSX is not supported. Pat did some research and figured out the structure of the individual email files typically stored in the /[user]/Library/Mail/POP/Inbox folder. Each email is stored with a .emlx extension.

This EnScript will process selected (blue checked) .emlx files. The individual .emlx files will be reformatted and concatenated into one single file and placed in your default export folder for the case. This single file will be in the MBOX format and can then be added into EnCase and parsed. The emails will show up in the records tab if you select the email parse option from the search dialog, or you can simply right-click on the exported MBOX file and choose "view file structure".









Download Here

On an idea from Timothy LaTulippe, this EnScript was written to basically "de-NIST" your evidence.

This EnScript will compare all the files in the case against whatever hash sets you select (aka all the NIST ones or your own custom Windows hash sets) and then it will export all the files that do not match any of the hash sets, maintaining the original paths.

First, select whatever hash sets you want to use and rebuild your library with the ones you want to include in the comparison:



Then run the EnScript and choose an export path:



If you check the LEF box, a logical evidence file will also be made with all the files that do not match any of your included hash sets.

Download Here