EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Categories

Utility

$Filename Attribute Dates of tagged file(s)

This EnScript will display the (8) eight NTFS time-stamps associated with each tagged file/folder in EnCase.
By Lance Mueller
1273 Downloads
29 Downloads in last 6 months
App
Artifact

APFS Date-Added Decoder

This script decodes the date-added timestamps present in the internal $Catalog file created by EnCase for APFS volumes.
By Simon Key
163 Downloads
21 Downloads in last 6 months
App
Utility

Active Directory Account Importer For Secure Storage

This script allows the examiner to import user and group accounts from Active Directory into EnCase.
By Simon Key
6047 Downloads
6 Downloads in last 6 months
App
Utility

Android Screen Unlock

This script is designed to remove basic PIN, password or pattern lock from a connected device. This method was tested and works on Android versions from Gingerbread (2.3) to Jelly Bean (4.1). The Consol...
By James Habben
4797 Downloads
531 Downloads in last 6 months
App
Artifact

Apple System Log (ASL) File Parser

This EnScript parses user-specified Apple System Log (ASL) files in the current case. Output is by way of bookmarks and a tab-delimited spreadsheet file.
By Simon Key
6357 Downloads
10 Downloads in last 6 months
App
Artifact

Ares and Lime Pro Dat File Decryptor

This script will decrypt the data from the .dat files used by the Ares and Lime Pro P2P file trading programs.
By Simon Key
159 Downloads
17 Downloads in last 6 months
App
Artifact

Ares and Lime Pro Registry Report

This script decodes relevant values for Ares and Lime Pro NTUSER.DAT Registry keys.
By Simon Key
53 Downloads
5 Downloads in last 6 months
App
Utility

Assisted PST/OST Mounting in EnCase

The script assists in mounting Microsoft Outlook PST and OST files for use in EnCase.
By Jacques Malan
1076 Downloads
16 Downloads in last 6 months
App
Utility

Attribute and Field Helper Plugin

This plugin allows the examiner to view and bookmark the information shown under the Attributes and Fields tabs en-masse rather than on a per-file/folder basis.
By Simon Key
63 Downloads
3 Downloads in last 6 months
App
Artifact

AutoCAD DWG Summary Info Reader

This EnScript allows the examiner to read document summary information from AutoCAD DWG files. The script supports file-versions from 2004 to 2013.
By Simon Key
323 Downloads
18 Downloads in last 6 months
App
Artifact

BAM Registry Parser

This script Background Activity Moderator (BAM) Registry entries generated by later versions of Windows 10.
By Simon Key
203 Downloads
9 Downloads in last 6 months
App
Artifact

Binary Plist Finder

This script searches specified items for binary property-list (plist) files. It was designed primarily to recover plist files from unallocated clusters but can also be used to recover plists embedded in...
By Simon Key
6595 Downloads
7 Downloads in last 6 months
App
Artifact

BitTorrent Bencode File Finder

This EnScript can be used to find and decode bencoded files of the type used by several BitTorrent clients.
By Simon Key
357 Downloads
2 Downloads in last 6 months
App
Artifact

BitTorrent Bencode Viewer Plugin

This is an EnCase plugin that allows the examiner to view the bencoded files of the type used by many BitTorrent clients.
By Simon Key
246 Downloads
2 Downloads in last 6 months
App
Utility

Bookmark Filter Plugin

This self-installing plugin allows the user to select bookmarks matching a given condition. It is particularly useful when trying to identify bookmarks containing specific text in the comment.
By Simon Key
265 Downloads
4 Downloads in last 6 months
App
Artifact

Bookmark and Decode exFAT Directory Entries

This script bookmarks the exFAT directory-entries for the highlighted file/folder or selected files/folders in the current view; it is primarily designed to allow the examiner to view exFAT timestamps t...
By Simon Key
68 Downloads
6 Downloads in last 6 months
App
Utility

C-TAK (Cyber-Threat Analytics Knowledgebase) Trial Version

C-TAK provides examiners with accurate identification of cyber threats that may directly impact investigations. The C-TAK trial includes Keylogger, Rootkit and Trojan datasets built in.
By WetStone-Technologies-Inc-
207 Downloads
2 Downloads in last 6 months
App
Utility

CD Image Loader Plugin

This EnScript loads one or more CD/DVD-ROM ISO images into the current case. Supports multi-part images of the type created by FTK Imager.
By Simon Key
363 Downloads
7 Downloads in last 6 months
App
Artifact

CUPS Printer Control-File Parser

This script parses CUPS (Common UNIX Printing System) printer-control files of the type found on macOS.
By Simon Key
77 Downloads
3 Downloads in last 6 months
App
Utility

Case Analyzer and Sweep Enterprise Data Extraction

Use this script to batch-extract selected Case Analyzer and Sweep Enterprise reports to comma-delimited spreadsheets.
By Simon Key
146 Downloads
5 Downloads in last 6 months
App
Utility

Categorize & Bookmark by File Extensions

EnCase v7 EnScript to define criteria in a condition dialog and then bookmark those files into bookmark subfolders based on extensions
By Lance Mueller
574 Downloads
5 Downloads in last 6 months
App
Artifact

Chrome History Transition Parser

This script is designed to parse the transition field from records in the visits table of the Chrome/Chromium History SQLite database file.
By Simon Key
74 Downloads
8 Downloads in last 6 months
App
Utility

CompoundFileMounter (EnFilter)

This is a File Mounter. Like the V6 file mounter, but for V7 and to mount the files not included in the Evidence processor.
By James Gagen
1120 Downloads
2 Downloads in last 6 months
App
Utility

Comprehensive Case Template

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred Hatzesberger
472 Downloads
3 Downloads in last 6 months
App
Utility

Conditions Launcher

This EnScript will simultaneously run all the conditions from within a specific folder.
By Bartosz Kaczmarek
266 Downloads
2 Downloads in last 6 months
App
Utility

Contextual Data Builder

Importing customer contextual data enables you to integrate your enterprise or third-party database of whitelisted, blacklisted, and watchlisted hashes as you extract, transform, and load data to the an...
By John Lukach
291 Downloads
1 Downloads in last 6 months
App
Utility

Copy Files With Path

This script is designed to copy files (those that are entries) into a nominated folder and/or logical evidence file whilst still preserving each one's path. It will work in triage mode.
By Simon Key
14 Downloads
5 Downloads in last 6 months
App
Utility

Copy Web Browser Files

A simple script used to identify all browser history cookie and cache files in a case and copy them out for further processing using 3rd party tools.
By Paul Eric Tew
2432 Downloads
10 Downloads in last 6 months
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
169 Downloads
8 Downloads in last 6 months
App
Utility

Create Hash Library From Multiple Hash Lists

This script is designed to create/update a hash library using the hash-values contained in one or more tab-delimited hash-list files with CR/LF line-endings.
By Simon Key
103 Downloads
6 Downloads in last 6 months
App
Utility

Create LEF From Folders Using Logical and UNC Path

Creates an EnCase logical evidence file from the contents of one or more folders specified by the user.
By Simon Key
8873 Downloads
4 Downloads in last 6 months
App
Utility

Create Result Set Excluding Unwanted Items

Allows the examiner to create a result-set that excludes unwanted items by way of them having a 'known' hash value or other undesirable properties (name, size, file extension, etc).
By Simon Key
564 Downloads
3 Downloads in last 6 months
App
Utility

Create Result-Set From Responsive Items

This script is designed to create a result-set from both entries and records (artifacts) in a single pass.
By Simon Key
0 Downloads
0 Downloads in last 6 months
App
Utility

Create Result-Sets For Hash-Categories

This script creates result-sets for each of the hash-categories associated with active hash-sets contained in the current case's active hash library/libraries.
By Simon Key
485 Downloads
2 Downloads in last 6 months
App
Utility

Create Result-Sets For Specific Document-Types

This EnScript allows the examiner to create result-sets containing items matching user-specified file-types.
By Simon Key
5527 Downloads
6 Downloads in last 6 months
App
Utility

Credit Card Number Search With Luhn Verification

This script finds credit card numbers which are valid according to the Luhn test.
By Simon Key
377 Downloads
18 Downloads in last 6 months
App
Utility

DFLabs DIM Integration-NG

Created by DFLabs this EnScript enables you to add EnCase evidence and bookmark data to IncMan-NG suite.
By DFLabs SRL
113 Downloads
1 Downloads in last 6 months
App
Utility

DFLabs IncMan Integration-NG

This EnScript allows the user to upload remote node snapshot information from Sweep Enterprise into IncMan-NG the Incident Response Management from DFLabs.
By DFLabs SRL
102 Downloads
1 Downloads in last 6 months
App
Artifact

DS_Store Parser

This script parsers user-specified .DS_Store files created by Mac OS X. One of the most common reasons for wanting to examine these files is to determine the original name and path of files/folders in t...
By Simon Key
7686 Downloads
31 Downloads in last 6 months
App
Utility

Data Extraction Utility

This script is designed to extract one or more blocks of data from the file highlighted in the EnCase GUI.
By Simon Key
0 Downloads
0 Downloads in last 6 months
App
Utility

Deleted SQLite Database File Recovery

This script is designed to recover deleted database files last modified by SQLite version 3.7 or later.
By Simon Key
513 Downloads
26 Downloads in last 6 months
App
Utility

Detect Similar Text Content

The script uses ssdeep to help identify plagiarized content and/or forged documents.
By Simon Key
59 Downloads
1 Downloads in last 6 months
App
Reporting

Drive Space Audit

This EnScript will audit the space of all devices in the case. A table will be built in the bookmarks tab as a summary to show usage of devices in the case.
By James Habben
1277 Downloads
7 Downloads in last 6 months
App
Utility

Dumpkeychain

Dumpkeychain is a Windows utility for decrypting credentials from Mac OS X system and user keychains given the associated system-key-file or keychain-password respectively.
By Simon Key
2384 Downloads
38 Downloads in last 6 months
App
Reporting

E-mail Address Finder

This EnScript will locate, bookmark, and count all unique e-mail addresses in a case.
By Ryan Jay Ollerenshaw
1658 Downloads
32 Downloads in last 6 months
App
Utility

EMLX to EML Mail Converter

Convert Apple Mail EMLX files to EML/MBOX format, which can be then read by other e-mail clients and processed by EnCase.
By Simon Key
1433 Downloads
6 Downloads in last 6 months
App
Utility

EVF2 Evidence-File Segment Extraction Utility

This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.
By Simon Key
46 Downloads
6 Downloads in last 6 months
App
Artifact

EVTX Log Entry Finder

This EnScript bookmarks deleted event-log records from Microsoft Windows EVTX files.
By Simon Key
1030 Downloads
15 Downloads in last 6 months
App
Incident Response

EnCase Integrated Threat Toolkit (EITT)

EnCase Integrated Threat Toolkit (EITT) is a GUI interface and aggregate for a number of EnCase® Enterprise functions and over 15 open source tools designed to assist in DFIR investigations.
By Guidance Software
2052 Downloads
49 Downloads in last 6 months
App
Utility

EnDiff

This script allows an EnScript developer to quickly identify newly introduced classes, methods, and properties in EnCase.
By Simon Key
465 Downloads
2 Downloads in last 6 months
App
Utility

EnParse - 30-Day Free Trial

30-day free trial of EnParse. Find what is in multiple evidence files at once without full export, prepare useful reports for clients.
By Manishaben-Chovatiya
961 Downloads
21 Downloads in last 6 months
App
Utility

EnScript Editor Utilities Plugin

This plugin adds a number of enhancements to the EnScript editor window.
By Simon Key
68 Downloads
1 Downloads in last 6 months
App
General

EnScript Finder

This helpful EnScript lets you search all your downloaded EnScripts and either launch them or open the folder where they were found.
By Guidance Software
641 Downloads
10 Downloads in last 6 months
App
Incident Response

EnScript to send file metadata directly to Splunk

EnCase EnScript to send data directly to SPLUNK for IR, Investigations and Timelines.
By Lance Mueller
670 Downloads
3 Downloads in last 6 months
App
Utility

Encryption Finder

Scans evidence files and devices for known encryption markers.
By Graham Jenkins
635 Downloads
11 Downloads in last 6 months
App
Utility

Endpoint Investigator Network Utility Plugin

This is an Endpoint Investigator Network Utility plugin that allows the examiner to import one or more network-nodes or IP-ranges from a nominated tab-delimited text-file in MS Windows format. It can al...
By Simon Key
0 Downloads
0 Downloads in last 6 months
App
Utility

Endpoint Investigator Snapshot Scanner

This script is designed to validate the prescence of EnCase Endpoint Investigator agents running on multiple endpoints.
By Simon Key
77 Downloads
3 Downloads in last 6 months
App
Utility

Endpoint Security Registry Value Extractor

This script is designed to extract Registry values from one or more result-LEFs created by EnCase Endpoint Security. It  will process all Lx01 and L01 evidence files in the folder specified by the user.
By Simon Key
8 Downloads
3 Downloads in last 6 months
App
Utility

Evidence File Converter

EnScript converts blue-checked EnCase evidence files in the evidence tab to bitstream, dd-type disk images with the option to use the Apple multi-part DMG naming convention.
By Simon Key
1026 Downloads
15 Downloads in last 6 months
App
Artifact

Exif GPS Information Reader

Search for, bookmark, and decode Exif metadata with the option to view GPS coordinates in Google Earth.
By Simon Key
2498 Downloads
22 Downloads in last 6 months
App
Artifact

Exif Viewer Plugin

The is a self-installing application plugin that enables the user to right-click on HEIC and JPEG files in order to view and bookmark the Exif metadata contained therein.
By Simon Key
3179 Downloads
36 Downloads in last 6 months
App
Utility

Export Result-Set to Project VIC

This script is designed to extract a user-specified result-set to a Project VIC data-set.
By Simon Key
103 Downloads
6 Downloads in last 6 months
App
Utility

Export and Bookmark Files Based On Extension

Use this EnScript to extract files into separate folders based on extension. The script will create a tab-delimited index file containing the file-system metadata specified by the examiner. Detects and ...
By Simon Key
4642 Downloads
8 Downloads in last 6 months
App
Utility

Export by Extension

Export files based on extension
By Lance Mueller
879 Downloads
9 Downloads in last 6 months
App
Utility

Extract Block Data Excluding Headers

This script is designed to assist the examiner to extract files from block-based storage structures where each block has a fixed length and is preceded by a header also having a fixed length.
By Simon Key
32 Downloads
3 Downloads in last 6 months
App
Utility

Extract Bookmarked Items With Bookmark Folder Path

This EnScript extracts selected bookmarked items to a nominated folder whilst preserving the bookmark-folder path. The examiner can opt to extract e-mail records as MSG.
By Simon Key
312 Downloads
3 Downloads in last 6 months
App
Utility

Extract Selected Folders in Current View

This script is designed to extract selected folders in the current view to a nominated export folder. Only folders that contain one or more child objects will be processed. Files themselves will not be ...
By Simon Key
52 Downloads
2 Downloads in last 6 months
App
Artifact

Facebook MSG Finder

This Enscript will find FaceBook artifacts in tagged files and create a detailed bookmark.
By Ryan Jay Ollerenshaw
672 Downloads
5 Downloads in last 6 months
App
Utility

File Block Hash Map Analysis

This EnScript uses block-based hash analysis in order to locate and recover one or more target files in circumstances where other methods are likely to fail.
By Simon Key
779 Downloads
5 Downloads in last 6 months
App
Utility

File Description and Extension Tally

Provides a tally of the total number and size of items with a particular extension or description.
By Simon Key
137 Downloads
12 Downloads in last 6 months
App
Utility

File Directory Listing

This EnScript creates a directory listing of all items in the case and makes a .CSV file.
By Joshua Clevenger
1202 Downloads
11 Downloads in last 6 months
App
Utility

File Exporter

This program exports files from the current Entry or Results view based upon user selected criteria.
By Karl Winrow
1231 Downloads
42 Downloads in last 6 months
App
Utility

File Properties

File Properties is a script to easily cut/paste properties on selected files to your investigation report without using bookmarks.
By Guidance Software
510 Downloads
10 Downloads in last 6 months
App
Utility

File Remediator

FileRemediator uses EnCase's built-in wiping function to target and wipe individual files and folders on a local device and then create all the necessary logs.
By Thomas Plunkett
234 Downloads
5 Downloads in last 6 months
App
Utility

FileHash2SQLite

Map File Hashes to Case Numbers and Examiners using an SQLite database
By Greg Farnham
233 Downloads
2 Downloads in last 6 months
App
Utility

Find E-Mail Attachments By Extension

Finds e-mail attachments with file-extensions specified by the examiner. Searches archive attachments (including nested archives) by default.
By Simon Key
1367 Downloads
8 Downloads in last 6 months
App
Utility

Find Entries by Hash Category Plus (EnFilter)

This is a modified version of the v7.08 Filter in EnCase to Find Entries by Hash Category
By James Gagen
5279 Downloads
4 Downloads in last 6 months
App
Artifact

Find IPV4 Addresses

Finds valid unique IPV4 addresses in ANSI/ASCII and Unicode text-formats.
By Simon Key
362 Downloads
21 Downloads in last 6 months
App
Utility

Find Unique Records by Hash (EnFilter)

This is a modified version of the Filter in EnCase to Find Unique Entries by Hash, I have modified the filter to work on records and will match on the MD5 hash.
By James Gagen
969 Downloads
11 Downloads in last 6 months
App
Artifact

Find and Parse Prefetch Files in Unallocated

This EnScript searches unallocated clusters for deleted prefetch data. If found, the EnScript will parse out the name of the executable, last run time and run count.
By Lance Mueller
1392 Downloads
5 Downloads in last 6 months
App
Utility

Flat File Export

This script is designed to copy tagged items into a single output-folder and report-on user-specified properties in the process.
By Simon Key
126 Downloads
10 Downloads in last 6 months
App
Utility

GPT Partition Parser

This EnScript locates and bookmarks GPT partition-table information from devices in the current case.
By Simon Key
287 Downloads
9 Downloads in last 6 months
App
General

Generate ED2K Hash Values

This EnScript will generate ED2K hash values for the purpose of comparing them to some known bad files based on those ED2K hash values.
By Lance Mueller
424 Downloads
10 Downloads in last 6 months
App
Utility

Generic ESE Database Table Parser

This script will attempt to parse one or more tables from Extensible Storage Engine (ESE) database files specified by the user.
By Simon Key
101 Downloads
5 Downloads in last 6 months
App
Utility

Generic SQLite Database Parser

This script allows one or more pre-defined queries to be run across SQLite database files with names matching those specified.
By Simon Key
415 Downloads
13 Downloads in last 6 months
App
Utility

Generic XML Viewer Plugin

Use an extended context-menu option to view and bookmark data contained within XML files.
By Simon Key
447 Downloads
5 Downloads in last 6 months
App
Artifact

GigaTribe Download State Information Finder

The GigaTribe Download State Information Finder searches for information stored whilst a download is progressing on a GigaTribe user's computer.
By Simon Key
6070 Downloads
2 Downloads in last 6 months
App
Artifact

GigaTribe V3 Chat Parser

Locates and parses chat records originating from GigaTribe V3 chat-log files.
By Simon Key
673 Downloads
2 Downloads in last 6 months
App
Utility

HEIC Image Viewer Plugin

This plugin is designed to view the HEIC file currently highlighted in the GUI, including Exif metadata. GPS coordinates can be displayed using Google Maps.
By Simon Key
282 Downloads
62 Downloads in last 6 months
App
Utility

HEIC, KTX and WebP Image File Converter

This script is designed to convert KTX files to PNG; also, HEIC and WebP files to JPG.
By Simon Key
345 Downloads
28 Downloads in last 6 months
App
Artifact

HFS Journal Parser

HFS Journal Parser finds and parses Catalog file record in HFS+/HFSX .journal file.
By Teru Yamazaki
1012 Downloads
8 Downloads in last 6 months
App
Incident Response

Hacker Offender

This app is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important b...
By James Habben
1290 Downloads
3 Downloads in last 6 months
App
Utility

Has Attachment by Category (EnFilter)

This filter works on Records in email and will return Records with Attachments that match the selected category. The Source of the filter can be viewed to see the changes made.
By James Gagen
597 Downloads
3 Downloads in last 6 months
App
Utility

Hash Calculator Plugin

This EnScript plugin calculates a number of different hash values, either for complete files, or for a range of data. Hash values can be submitted to Virus Total automatically.
By Simon Key
580 Downloads
27 Downloads in last 6 months
App
Utility

Hash Library Viewer

This script allows the examiner to view, bookmark and extract the contents of the current case's hash library.
By Simon Key
97 Downloads
4 Downloads in last 6 months
App
Utility

Hash List Builder

Generate a matching file set for blue checked items that have had their MD5 hashes processed for import into EnCase Endpoint Security.
By John Lukach
976 Downloads
2 Downloads in last 6 months
App
Utility

Hash List Importer

This EnScript is designed to create a new EnCase hash-library from a list of hashes in tab-delimited format, or from an NSRL hash-set.
By Simon Key
2449 Downloads
13 Downloads in last 6 months
App
Artifact

Identify and Extract Date & Time Changes

EnScript to identify 4616 events (date and time change) that exceed a user specified number of minutes allowing the user to quickly discard Time Server syncs.
By Lynette Goh
349 Downloads
7 Downloads in last 6 months
App
Utility

Index and Extract Mounted Archives

This script is designed to index mounted archive files and their contents relative to the case as a whole; also, to filter and extract this data into a logical evidence file (LEF) so it can be viewed as...
By Simon Key
31 Downloads
4 Downloads in last 6 months
App
Reporting

Inventory

Hash and parse all your case files to create an inventory of your cases.
By James Habben
504 Downloads
4 Downloads in last 6 months
App
Utility

Item Ancestor Resolution

This script allows the examiner to identify the ancestors (emails, etc.) of items in a given result-set so they can be bookmarked and/or extracted.
By Simon Key
41 Downloads
2 Downloads in last 6 months
App
Utility

JPEG File Exporter

This app will export tagged jpeg image files and add the jpeg extension to the exported file.
By Ryan Jay Ollerenshaw
991 Downloads
7 Downloads in last 6 months
App
Artifact

JPEGSnoop

View EXIF metadata found in JPEG images within EnCase-- no need for a third-party application to view GPS coordinates, camera make and model, etc.
By Casimer Szyper
2319 Downloads
47 Downloads in last 6 months
App
Utility

JSON Viewer Plugin

This EnScript plugin allows the user to view and bookmark application data stored in JavaScript Object Notation JSON files.
By Simon Key
5380 Downloads
11 Downloads in last 6 months
App
Reporting

Keyword Search and Proximity Extract

Keyword search and proximity extract is designed to do Fuzzy string extraction by grouping relevant string fragments together.
By Jacques Malan
401 Downloads
4 Downloads in last 6 months
App
Utility

Keyword Search with Range Bookmarking

This EnScript allows the user to perform a raw or transcript keyword search of entries and records, and bookmark a user-specified range of bytes before and after each search-hit.
By Simon Key
1583 Downloads
4 Downloads in last 6 months
App
Utility

Known _met Search and Parse

This EnScript will search all tagged items for known.met record fragments from eMule 0.5.
By William Lynn
783 Downloads
3 Downloads in last 6 months
App
Artifact

Link File & Jump List Parser

This EnScript parses recent file-system activity from Microsoft Windows shortcut-link and jump-list files.
By Simon Key
12346 Downloads
40 Downloads in last 6 months
App
Artifact

Logon Banner and Text (from SYSTEM registry hive file)

This is an EnScript that extracts and bookmarks the local logon banner and logon text. Verifies corporate policies, such as "further used denotes no expectation of privacy".
By Thomas Hilk
151 Downloads
5 Downloads in last 6 months
App
Utility

Low Hanging Fruit

Low Hanging Fruit Please extracts file name path and MD5 to a SQLite database that also contains an Item Moniker data for each entry.
By John Lukach
1258 Downloads
2 Downloads in last 6 months
App
Utility

MACE Timeline

This script will provide a clean view of computer activity by creating a chronological report of file-system metadata.
By James Habben
1878 Downloads
6 Downloads in last 6 months
App
General

MFT Date Comparator

This script is designed to identify potentially suspect files by analyzing timestamp differences in the NTFS MFT standard information and filename attributes of each file.
By Simon Key
856 Downloads
7 Downloads in last 6 months
App
Utility

MFT Record Bookmark Plugin

This plugin has been designed as primarily as a classroom aid to assist in the examination of MFT records and their component sections (MFT-record attributes).
By Simon Key
97 Downloads
4 Downloads in last 6 months
App
Artifact

MP4, MOV, M4A and HEIC File Carver

This EnScript is designed to carve MP4, MOV, M4A and HEIC files as defined by the ISO base media file format, ISO/IEC 14496-12.
By Simon Key
210 Downloads
16 Downloads in last 6 months
App
Artifact

Mac OS X AutoLogin Password Decoder

This is a small utility that will decrypt the user-password for a user set to to automatically log-in to a Mac OS X system.
By Simon Key
7370 Downloads
12 Downloads in last 6 months
App
Artifact

Mac OS X BinaryCookie File Parser

This script parsers user-specified Mac OS X binary cookie files. Output is by way of bookmarks and a tab-delimited spreadsheet file.
By Simon Key
903 Downloads
1 Downloads in last 6 months
App
Artifact

Mac OS X Log Entry Finder

This script searches user-specified Mac OS X plaintext log-files for log-entries containing one or more keywords.
By Simon Key
1022 Downloads
3 Downloads in last 6 months
App
Artifact

Mac OS X OpenBSM Audit Log Parser

This EnScript parses Mac OS X OpenBSM audit-logs, which although deprecated, may still contain details of events relating to audit-control, user-logon and group/user creation/modification/deletion.
By Simon Key
593 Downloads
18 Downloads in last 6 months
App
Artifact

Mac OS X Outlook Mail Converter

This EnScript is designed to convert Microsoft Outlook *.olk14MsgSource and *.olk15MsgSource message-files to EML files and a logical evidence file that can be processed by EnCase.
By Simon Key
6621 Downloads
14 Downloads in last 6 months
App
Artifact

Mac OS X Previous Versions Chunk Storage Parser

Certain Mac OS X applications support the storage of previous versions of files. This EnScript will recover those files and write them to a logical evidence file so that they can be examined.
By Simon Key
8509 Downloads
4 Downloads in last 6 months
App
Artifact

Mac OS X QuickLook Thumbcache Parser

Extracts thumbnail images from Mac OS X QuickLook thumbnail cache files.
By Simon Key
6741 Downloads
26 Downloads in last 6 months
App
Artifact

Mac OS X Time Machine Parser

This EnScript allows the examiner to resolve the backup paths of blue-checked files in a Mac OS X Time Machine volume without having to make a copy of the volume available to a Macintosh computer.
By Simon Key
6507 Downloads
5 Downloads in last 6 months
App
Artifact

MacOS Var-Folders Name Converter

This script decodes the UUID and UID from the names of sub-folders under /private/var/folders in MacOS.
By Simon Key
38 Downloads
2 Downloads in last 6 months
App
Reporting

Manfreds Berichtsvorlage (NSRL 2.49)

Dieses umfassende Berichtstemplate kann als Basis für Ihre eigene Vorlage dienen. Sie ist sehr umfangreich und enthält Bookmark-Verzeichnisse für die häufigsten Topics Ihrer Unter...
By Manfred Hatzesberger
63 Downloads
1 Downloads in last 6 months
App
Reporting

Manfred's Comprehensive Case Template

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred Hatzesberger
420 Downloads
2 Downloads in last 6 months
App
Reporting

Manfred's Comprehensive Case Template (NSRL 2.49)

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred Hatzesberger
161 Downloads
1 Downloads in last 6 months
App
Utility

Matching File Analysis

This script is designed to locate one or more files from a known set. It works with records as well as entries.
By Simon Key
82 Downloads
4 Downloads in last 6 months
App
Artifact

Matching File Creator

This EnScript allows the examiner to tag items of interest and export a tab-delimited CSV file with the name, MD5 hash value, and logical size of the selected tags.
By Joseph Gaval
114 Downloads
2 Downloads in last 6 months
App
Incident Response

MemoryAnalysis

Process Windows, Linux, and OS X memory images and find running processes, parents, create dates, and more.
By Casimer Szyper
3619 Downloads
16 Downloads in last 6 months
App
Artifact

Messenger Protocol Fragments

A script to search for protocol fragments of MSN Messenger (or MSN Live Messenger) chat.
By Paul Eric Tew
1049 Downloads
1 Downloads in last 6 months
App
Utility

Microsoft Word ASD Document Viewer

This EnScript plugin allows Autosave Document (ASD) files to be extracted and opened with Microsoft Word.
By Simon Key
643 Downloads
32 Downloads in last 6 months
App
Utility

Multiple Date Range Filter - Entries Only (EnFilter)

This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.
By Simon Key
188 Downloads
12 Downloads in last 6 months
App
Incident Response

NETSH Packet Capture

NETSH Packet Capture allows network traffic sniffing on Microsoft Windows 7 and newer machines using natively installed NETSH with a Servlet with Remediation from EnCase Endpoint Security.
By John Lukach
331 Downloads
1 Downloads in last 6 months
App
Artifact

NTFS Index Buffer Reader

This script is designed to parse the contents of NTFS index buffers.
By Simon Key
83 Downloads
3 Downloads in last 6 months
App
Artifact

NTFS $UsnJrnl Parser

This EnScript allows the user to parse valuable information logging NT file-system operations including time files that have been created, deleted and renamed.
By Simon Key
15567 Downloads
33 Downloads in last 6 months
App
Reporting

NirSoft ESEDatabaseView Plugin

This plugin provides an interface to the NirSoft ESEDatabaseView executable so as to provide centralized reporting of Extensible Storage Engine (ESE, aka Jet Blue) databases through the use of bookmarks...
By John Lukach
645 Downloads
2 Downloads in last 6 months
App
Artifact

Nokia Lumia 610 SMS

This script will parse out SMS from a Nokia Lumia 610 mobile phone binary dump.
By Karl Winrow
359 Downloads
1 Downloads in last 6 months
App
Utility

Office 2007 Metadata Processor

Reads internal document metadata from Microsoft Office 2007 and later documents.
By Simon Key
156 Downloads
4 Downloads in last 6 months
App
Utility

Office 97-2003 Metadata Processor

This EnScript parses metadata from Microsoft Office documents of the format used prior to Office 2007.
By Simon Key
5386 Downloads
6 Downloads in last 6 months
App
Utility

OfficeRecovery 2013 Ultimate - Trial Version

Repair and examine the contents of corrupted files in collected evidence. Word Excel digital images and dozens of other formats are supported.
By Recoveronix Software
581 Downloads
1 Downloads in last 6 months
App
General

Old School Search Hit Viewer

The Old School Search Hit Viewer will display search hits in a table; the hits are highlighted with a user-specified amount of context visible around the search hit.
By Kimberly Stone
399 Downloads
1 Downloads in last 6 months
App
Artifact

Outlook PST & OST Deleted File Recovery

This script is designed to recover deleted PST/OST files.
By Simon Key
413 Downloads
6 Downloads in last 6 months
App
Artifact

PDF File Finder

This script is designed to find deleted PDF files using the header, '%PDF-#.#' (GREP), and the footer, '%%EOF'.
By Simon Key
135 Downloads
3 Downloads in last 6 months
App
Artifact

PE Examiner

Parse single or multiple .EXE files and extract all information encoded into the PE (COFF) header. Also works on memory dumps or unallocated space.
By Casimer Szyper
1126 Downloads
4 Downloads in last 6 months
App
Artifact

Parse $I $Recycle.Bin Files

This script parses the original path, logical size, and date-deleted information from $I $Recycle.Bin files.
By Simon Key
345 Downloads
48 Downloads in last 6 months
App
Artifact

Parse MemProcFS UserAssist Files

This script parses UserAssist Registry values made available by the MemProcFS memory anaysis tool.
By Simon Key
13 Downloads
2 Downloads in last 6 months
App
Artifact

Parse PE Executable for String Resources

This EnScript specifically targets a resource known as "VS_VERSION_INFO" which contains metadata about the specific executable, including the manufacturer name, original filename, version info and ot...
By Lance Mueller
581 Downloads
2 Downloads in last 6 months
App
Artifact

Parse Wireless Access Points in Vista, Win7, & Win8

EnScript to extract & display information about wireless networks that have been connected to. Supports analysis of Windows Vista, 7 & 8.
By Lance Mueller
1131 Downloads
1 Downloads in last 6 months
App
Artifact

Parse the setupapi.dev.log of USBs

This EnScript will parse the setupapi.dev.log (Windows Vista/7) for USB connected events and display this in the console tab
By Jordan venderBuhs
2376 Downloads
9 Downloads in last 6 months
App
Artifact

Plist Parser

This EnScript allows the examiner to bookmark and parse multiple Apple property-list (plist) files.
By Simon Key
7541 Downloads
31 Downloads in last 6 months
App
Artifact

Plist Viewer Plugin

Use an extended context-menu option to bookmark, decode and extract data contained in Apple property list (.plist) files; automatically view plist files embedded in other plist files.
By Simon Key
8755 Downloads
9 Downloads in last 6 months
App
Utility

Pre-Evidence Processing Tasks

Quickly gather needed information before Evidence Processing.
By Tim Taylor
1289 Downloads
4 Downloads in last 6 months
App
Artifact

Prefetch Dump (PFDump)

This EnScript parses application usage information stored in Microsoft Windows prefetch files. This version supports Window XP through Windows 10 and includes a run-count and one or more last-run dates.
By Simon Key
9139 Downloads
20 Downloads in last 6 months
App
Artifact

Prefetch File Recovery

This script is designed to find deleted prefetch files in both compressed and uncompressed formats.
By Simon Key
184 Downloads
3 Downloads in last 6 months
App
Artifact

Print Spool - SHD & SPL Parser

This EnScript extracts and bookmarks the admin data from the printer shadow files and bookmarks EML print data from the printer spool files.
By Lynette Goh
1582 Downloads
35 Downloads in last 6 months
App
Utility

Quick Base64 Decoder

The script is designed to quickly decode Base64-encoded data.
By Simon Key
76 Downloads
4 Downloads in last 6 months
App
Utility

Quick Bookmark Folders

Quickly make bookmark folders for each device in your case. Automate making bookmark folders and subfolders for each device in your case. Along with bookmarking each device and each volume in the cas...
By Brett Liddicoet
275 Downloads
1 Downloads in last 6 months
App
Utility

Quick Registry Browser

Allows the examiner to quickly view data in the highlighted Registry file.
By Simon Key
212 Downloads
10 Downloads in last 6 months
App
Utility

Quick View OST and PST Files and Extract to MSG

This script will attempt to mount the highlighted PST/OST file and display its contents so that messages can be previewed and/or extracted to *.MSG files.
By Simon Key
210 Downloads
5 Downloads in last 6 months
App
Artifact

RDP Cached Bitmap Extractor

This EnScript parses bitmap data cached by the Microsoft Windows Terminal Services (Remote Desktop Protocol - RDP) client.
By Simon Key
2281 Downloads
39 Downloads in last 6 months
App
Utility

Record LEF to Entry LEF Converter

This script converts logical evidence files (LEFs) containing records to ones containing entries. It may prove useful when working with applications that can't open record-LEFs.
By Simon Key
0 Downloads
0 Downloads in last 6 months
App
Utility

Record to Excel

Use Record2Excel to export records to Microsoft Excel. This script works with any records list which can be tagged. It will export all record properties (fields values) to Excel. Requires Microsoft E...
By Guidance Software
484 Downloads
1 Downloads in last 6 months
App
Utility

RegRipper Launcher

This EnScript runs RegRipper directly from EnCase. Automatically bookmark results or load them in a Microsoft Word / Open Office document. Requires RegRipper.
By Guidance Software
2619 Downloads
92 Downloads in last 6 months
App
Artifact

Registry Files Exporter

Export Windows Registry files from Windows OS
By Isaac Lee
1490 Downloads
7 Downloads in last 6 months
App
Utility

Registry Viewer Plugin

This script allows the examiner to to use a right-click context-menu-option or keyboard shortcut to view Registry hive files (SYSTEM, SOFTWARE, SECURITY, SAM, NTUSER,DAT, etc.).
By Simon Key
828 Downloads
35 Downloads in last 6 months
App
Utility

Remote Agent Deployment

This EnScript allows the user to remotely deploy agents across their enterprise.
By Guidance Software
952 Downloads
7 Downloads in last 6 months
App
Utility

Retention Analyzer

Calculates the volume based on logical size in bytes per month based on MAC times for an eight year time frame that are not tagged as 'Known'.
By John Lukach
554 Downloads
3 Downloads in last 6 months
App
Utility

Run Condition As Filter

This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that...
By Simon Key
174 Downloads
7 Downloads in last 6 months
App
Artifact

SEEB USB - Mounted Devices Report

Script will create detailed Excel, CSV, console & bookmark reports on Mounted, USB, portable devices found in the registry and setupapi logs.
By Brian Jones
3758 Downloads
14 Downloads in last 6 months
App
Utility

SQLite Blob Extractor

This script is designed to extract BLOB-data from SQLite database files.
By Simon Key
1135 Downloads
38 Downloads in last 6 months
App
Artifact

SQLite Free-Page Parser

This EnScript is designed to read and decode unused pages from SQLite database files, pages that may contain deleted data.
By Simon Key
239 Downloads
6 Downloads in last 6 months
App
Utility

SQLiteQuery

Allows SQL querying of all SQLite databases from within EnCase.
By Doug Collins
1849 Downloads
10 Downloads in last 6 months
App
Artifact

SRUM Database Parser

This EnScript parses the System Resource Usage Monitor (SRUM) ESE database, SRUDB.dat, which is located in the %SYSTEMROOT%\System32\sru folder
By Simon Key
427 Downloads
30 Downloads in last 6 months
App
Artifact

Safari Evidence Processor Module

This is a self-installing Evidence Processor module that parses macOS Safari web-browser data.
By Simon Key
5580 Downloads
3 Downloads in last 6 months
App
Utility

Safari Form Values Decryptor For Windows (SFVDWIN)

Use this tool to extract the autofill form values from the encrypted Form Values plist that Safari uses. It requires the user's keychain and associated password to decrypt the data.
By Simon Key
5812 Downloads
2 Downloads in last 6 months
App
Artifact

SafariTabs.db Parser

This script parses the records from the bookmarks table in SafariTabs.db SQLite database files.
By Simon Key
188 Downloads
7 Downloads in last 6 months
App
Artifact

Search For Valid Bitcoin Addresses

This EnScript searches entries and records for valid BitCoin addresses.
By Simon Key
662 Downloads
8 Downloads in last 6 months
App
Utility

Search Hits Preview

This EnScript creates a search hit preview file that can be imported into Excel.
By Ryan Jay Ollerenshaw
359 Downloads
2 Downloads in last 6 months
App
Utility

Search and Bookmark Specific Data Types

This EnScript allows the examiner to search for one or more keywords and bookmark the resultant search-hits using specific data-types (picture, ROT13, low ASCII, hex, etc).
By Simon Key
6873 Downloads
3 Downloads in last 6 months
App
Utility

Serialized Property Storage (SPS) Reader

This script decodes one or more values stored in Serialized Property Storage (SPS) format.
By Simon Key
26 Downloads
1 Downloads in last 6 months
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
875 Downloads
16 Downloads in last 6 months
App
Artifact

ShimCache Parser

This EnScript mounts all SYSTEM registries found in the current evidence, parses the Application Compatility Cache registry key and output the result onto the console, bookmarks and tab-delimited CSV...
By Isaac Lee
1282 Downloads
6 Downloads in last 6 months
App
Utility

Show or Hide Items with a Selected Tag

This Filter will enable the user to show or hide items based on the tag status.
By James Gagen
345 Downloads
1 Downloads in last 6 months
App
Utility

SimpleSearch

This EnScript searches for keywords in every open case and bookmarks the files.
By Iosif Dan Laszlo
725 Downloads
2 Downloads in last 6 months
App
Artifact

Skype Chatsync IP Addresses

This EnScript will parse out the IP addresses from Skype chatsync files and write them to the console as well as bookmark the artifacts.
By Lance Mueller
867 Downloads
3 Downloads in last 6 months
App
Artifact

Skype S4L Database Parser

This script parses cached messages and profile-information from the 'messagesv12' and 'profilecachev8' tables of Skype 's4l-*' SQLite-database files.
By Simon Key
162 Downloads
12 Downloads in last 6 months
App
Utility

Startup Manager

Startup Manager lets you select EnScripts and EnPacks to start automatically when EnCase starts.
By Carmona Pereyra
700 Downloads
4 Downloads in last 6 months
App
Artifact

SysTools Outlook Exporter v2.2 (Demo Version)

SysTools Outlook Exporter is an EnCase plugin which allows you to export email evidence found with EnCase forensic to an Outlook (.pst) file WITHOUT Outlook.
By SysTools Software
306 Downloads
1 Downloads in last 6 months
App
Utility

System Snap Shot

System Snap Shot collects information regarding software used, system settings, user names, last login information, and connections made that would allow data to be moved off the machine.
By Jordan venderBuhs
215 Downloads
2 Downloads in last 6 months
App
Incident Response

Team Cymru Malware Hash Registry Search

Review evidence files to assist in learning if any might correspond to malware.
By Jeffrey Savoy
947 Downloads
7 Downloads in last 6 months
App
Incident Response

ThreatAnalyzer Automation Toolkit

ThreatAnalyzer provides best in class dynamic file analysis which enables the investigator to quickly determine any behaviors a given file sample may exhibit.
By Cisco Systems
299 Downloads
4 Downloads in last 6 months
App
Utility

ThreatGRID Malware Analysis and Intelligence for EnCase

Threat Grid Malware Analysis and Intelligence for EnCase® provides direct integration with Threat Grid, the first unified malware analysis and threat intelligence solution. Threat Grid provides i...
By Cisco Systems
798 Downloads
10 Downloads in last 6 months
App
Artifact

Thumbcache Parser

This script parses the thumbcache_*.db files used to store thumbnail images generated as a result of viewing pictures in Windows Explorer under Windows Vista, 7, 8/8.1 and 10.
By Simon Key
902 Downloads
13 Downloads in last 6 months
App
Artifact

Timezone Info Prior to Processing

This EnScript allows the Examiner to determine the timezone settings of each device prior to running the EnCase Evidence Processor.
By Jamey Tubbs
1884 Downloads
15 Downloads in last 6 months
App
Utility

UNC Path Preview and Acquire

Use this script to preview the files and folders on a remote share using a UNC path. Specific user credentials can be supplied where necessary.
By Simon Key
6680 Downloads
4 Downloads in last 6 months
App
Artifact

URL and Windows File-Path Finder

This script is designed to locate URLs and Windows file-paths containing one or more keywords.
By Simon Key
6 Downloads
3 Downloads in last 6 months
App
Reporting

Umfassende Berichtsvorlage

Dieses umfassende Berichtstemplate kann als Basis für Ihre eigene Vorlage dienen. Sie ist sehr umfangreich und enthält Bookmark-Verzeichnisse für die häufigsten Topics Ihrer Unter...
By Manfred Hatzesberger
99 Downloads
1 Downloads in last 6 months
App
Utility

Unmount Compound File

This will add a right click option to unmount a compound file. This can be used to try a different password or just get rid of the additional items.
By James Habben
815 Downloads
3 Downloads in last 6 months
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
636 Downloads
14 Downloads in last 6 months
App
Utility

UsnJrnl Record Keyword Search and Export to CSV

This script will prompt for a keyword from the user then search selected tagged items for that keyword.
By William Lynn
976 Downloads
1 Downloads in last 6 months
App
Utility

Utilities (aka Last Folder) Plugin

This is a utility plugin making it easier to open folders used for output, delete EnScript configuration files, create index queries, and select emails containing notable attachments (or vice versa).
By Simon Key
6546 Downloads
1 Downloads in last 6 months
App
Artifact

VSS Examiner

Quickly and easily identify and preserve data of interest in Microsoft Windows volume shadow copies.
By Simon-Key
14569 Downloads
10 Downloads in last 6 months
App
Utility

Video Split

This EnScript uses ffmpeg.exe to create thumbnail images from selected movies. The images are automatically made into a LEF file which can then be added to a case.
By Simon Key
404 Downloads
2 Downloads in last 6 months
App
Utility

View SQLite With WAL Plugin

Allows SQLite database files to be opened in conjunction with any write-ahead log (WAL) file.
By Simon Key
409 Downloads
25 Downloads in last 6 months
App
Utility

VirusShare Hash Library Creator

This script creates an EnCase hash-library from the VirusShare hash-lists available to download from https://virusshare.com.
By Simon Key
153 Downloads
8 Downloads in last 6 months
App
Incident Response

VirusShare.com Contextual Data

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach
541 Downloads
2 Downloads in last 6 months
App
Incident Response

VirusShare.com Hash Library

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach
1097 Downloads
19 Downloads in last 6 months
App
Incident Response

VirusShare.com Hash Sets

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach
946 Downloads
8 Downloads in last 6 months
App
Incident Response

VirusTotal Bookmark

This EnScript provides a quick automated way to tag files and then automatically submit their hash values to Virus Total for analyzing.
By Lance Mueller
561 Downloads
5 Downloads in last 6 months
App
Utility

Volatility Plugin

This EnScript is designed to facilitate easier use of Volatility in EnCase. It can be configured for any number of Volatility plugins and supports multithreading.
By Simon Key
272 Downloads
2 Downloads in last 6 months
App
Incident Response

Volatility Reporting Plugin

Volatility 2.4 Standalone executable integration with EnCase for centralized reporting of memory forensic results through the use of bookmarks.
By John Lukach
2052 Downloads
4 Downloads in last 6 months
App
Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9396 Downloads
71 Downloads in last 6 months
App
Artifact

Webpage Rebuilder

This script will export and rebuild tagged records into a local file to view with a browser.
By James Habben
1959 Downloads
3 Downloads in last 6 months
App
General

What's New In App Central

This EnScript will find any new or updated EnScripts at EnCase App Central.
By Guidance Software
556 Downloads
1 Downloads in last 6 months
App
Artifact

Windows 8 and 8.1 Mail Finder

Finds deleted e-mail messages originating from the Windows 8 and 8.1 Mail applications.
By Simon Key
475 Downloads
1 Downloads in last 6 months
App
Artifact

Windows Device Properties Parser

This script parses extended device-property information from Microsoft Windows SYSTEM Registry hive files.
By Simon Key
304 Downloads
17 Downloads in last 6 months
App
Utility

Windows Drive Letter Assignments

This EnScript is designed to identify Windows drive-letter assignments for volumes in the current case that have been identified as originating from fixed disks.
By Simon Key
9305 Downloads
19 Downloads in last 6 months
App
Artifact

Windows Event Log Export

This EnScript searches for pre-vista event log files (*.evt) and checks if they are flagged dirty.
By James Habben
1918 Downloads
4 Downloads in last 6 months
App
Utility

Windows Executable Packer Detection

Analyze Windows executables to detect known executable file-packers.
By James Habben
3212 Downloads
49 Downloads in last 6 months
App
Artifact

Windows Installed Application Parser

Parses installed-application information and displays it in a manner similar to Microsoft Windows.
By Simon Key
349 Downloads
9 Downloads in last 6 months
App
Artifact

Windows Live Mail to MBOX Converter

This script converts a Windows Live Mail e-mail store to a sequence of MBOX files in a logical evidence file that can be added to a case and processed in the usual way.
By Simon Key
5760 Downloads
2 Downloads in last 6 months
App
Artifact

Windows Local-User Login-Count Decoder

This script decodes the login-count for *local* user accounts stored in SAM Registry hive files in the current case.
By Simon Key
124 Downloads
6 Downloads in last 6 months
App
Artifact

Windows NTUSER.DAT Drive Letter Mappings

This is a simple script that extracts the drive-letter mappings from HKCU\Network.
By Simon Key
170 Downloads
9 Downloads in last 6 months
App
Artifact

Windows Network Profile Reader

This script parses network-profile information from the SOFTWARE Registry hive.
By Simon Key
152 Downloads
3 Downloads in last 6 months
App
Utility

Windows Quick View Plugin

This is an EnScript plugin that allows the examiner to quickly open evidence-items and embedded data using the default Windows viewer.
By Simon Key
711 Downloads
7 Downloads in last 6 months
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents.
By Simon Key
203 Downloads
3 Downloads in last 6 months
App
Incident Response

Yara Scanner

The script is designed as an aid to scanning multiple files using one or more *.yar or *.yara files each containing one or more YARA rules.
By Simon Key
273 Downloads
35 Downloads in last 6 months
App
Utility

ZIP Index Entry Finder

This EnScript will search for, and bookmark, ZIP-file index-entries. It was designed for the recovery of data from deleted ZIP files (including MS Word *.DOCX files) that can't otherwise be recovered, e...
By Simon Key
547 Downloads
11 Downloads in last 6 months
App
Artifact

Zone-ID Parser

This script is designed to parse ‘Zone.Identifier’ alternate data streams, which are sometimes referred to as ‘Marks of the Web’ and can help to identify files downloaded from the Internet.
By Simon Key
114 Downloads
5 Downloads in last 6 months
App
Artifact

eMule User Hash and Clients.met Parser

This script parses eMule preferences.dat, client.met, and client.met.bak files.
By Simon Key
12 Downloads
4 Downloads in last 6 months
App
Artifact

eMule and eDonkey Known.met File Parser

This script will parse all eDonkey & eMule 'known.met' or 'known.met.bak' files or those that have been selected in the current view.
By Simon Key
209 Downloads
18 Downloads in last 6 months
App
Artifact

iChat Message Parser

This EnScript parses *.ichat messages of the type created by the Mac OS X Messages application.
By Simon Key
977 Downloads
26 Downloads in last 6 months
App
Artifact

macOS Bookmark Data Decoder

This script decodes macOS bookmark datastreams of the type found in macOS alias files and property-list files.
By Simon Key
44 Downloads
2 Downloads in last 6 months
App