EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Categories

Utility

$Filename Attribute Dates of tagged file(s)

This EnScript will display the (8) eight NTFS time-stamps associated with each tagged file/folder in EnCase.
By Lance Mueller
1304 Downloads
45 Downloads in last 6 months
App
Artifact

APFS Date-Added Decoder

This script decodes the date-added timestamps present in the internal $Catalog file created by EnCase for APFS volumes.
By Simon Key
183 Downloads
31 Downloads in last 6 months
App
Utility

Active Directory Account Importer For Secure Storage

This script allows the examiner to import user and group accounts from Active Directory into EnCase.
By Simon Key
6059 Downloads
16 Downloads in last 6 months
App
Utility

Android Screen Unlock

This script is designed to remove basic PIN, password or pattern lock from a connected device. This method was tested and works on Android versions from Gingerbread (2.3) to Jelly Bean (4.1). The Consol...
By James Habben
6535 Downloads
2051 Downloads in last 6 months
App
Artifact

Apple System Log (ASL) File Parser

This EnScript parses user-specified Apple System Log (ASL) files in the current case. Output is by way of bookmarks and a tab-delimited spreadsheet file.
By Simon Key
6370 Downloads
14 Downloads in last 6 months
App
Artifact

Ares and Lime Pro Dat File Decryptor

This script will decrypt the data from the .dat files used by the Ares and Lime Pro P2P file trading programs.
By Simon Key
179 Downloads
27 Downloads in last 6 months
App
Artifact

Ares and Lime Pro Registry Report

This script decodes relevant values for Ares and Lime Pro NTUSER.DAT Registry keys.
By Simon Key
56 Downloads
6 Downloads in last 6 months
App
Utility

Assisted PST/OST Mounting in EnCase

The script assists in mounting Microsoft Outlook PST and OST files for use in EnCase.
By Jacques Malan
1115 Downloads
41 Downloads in last 6 months
App
Utility

Attribute and Field Helper Plugin

This plugin allows the examiner to view and bookmark the information shown under the Attributes and Fields tabs en-masse rather than on a per-file/folder basis.
By Simon Key
66 Downloads
3 Downloads in last 6 months
App
Artifact

AutoCAD DWG Summary Info Reader

This EnScript allows the examiner to read document summary information from AutoCAD DWG files. The script supports file-versions from 2004 to 2013.
By Simon Key
329 Downloads
22 Downloads in last 6 months
App
Artifact

BAM Registry Parser

This script Background Activity Moderator (BAM) Registry entries generated by later versions of Windows 10.
By Simon Key
209 Downloads
8 Downloads in last 6 months
App
Artifact

Binary Plist Finder

This script searches specified items for binary property-list (plist) files. It was designed primarily to recover plist files from unallocated clusters but can also be used to recover plists embedded in...
By Simon Key
6600 Downloads
5 Downloads in last 6 months
App
Artifact

BitTorrent Bencode File Finder

This EnScript can be used to find and decode bencoded files of the type used by several BitTorrent clients.
By Simon Key
362 Downloads
6 Downloads in last 6 months
App
Artifact

BitTorrent Bencode Viewer Plugin

This is an EnCase plugin that allows the examiner to view the bencoded files of the type used by many BitTorrent clients.
By Simon Key
249 Downloads
3 Downloads in last 6 months
App
Utility

Bookmark Filter Plugin

This self-installing plugin allows the user to select bookmarks matching a given condition. It is particularly useful when trying to identify bookmarks containing specific text in the comment.
By Simon Key
271 Downloads
7 Downloads in last 6 months
App
Artifact

Bookmark and Decode exFAT Directory Entries

This script bookmarks the exFAT directory-entries for the highlighted file/folder or selected files/folders in the current view; it is primarily designed to allow the examiner to view exFAT timestamps t...
By Simon Key
70 Downloads
5 Downloads in last 6 months
App
Utility

C-TAK (Cyber-Threat Analytics Knowledgebase) Trial Version

C-TAK provides examiners with accurate identification of cyber threats that may directly impact investigations. The C-TAK trial includes Keylogger, Rootkit and Trojan datasets built in.
By WetStone-Technologies-Inc-
211 Downloads
4 Downloads in last 6 months
App
Utility

CD Image Loader Plugin

This EnScript loads one or more CD/DVD-ROM ISO images into the current case. Supports multi-part images of the type created by FTK Imager.
By Simon Key
369 Downloads
8 Downloads in last 6 months
App
Artifact

CUPS Printer Control-File Parser

This script parses CUPS (Common UNIX Printing System) printer-control files of the type found on macOS.
By Simon Key
82 Downloads
5 Downloads in last 6 months
App
Utility

Case Analyzer and Sweep Enterprise Data Extraction

Use this script to batch-extract selected Case Analyzer and Sweep Enterprise reports to comma-delimited spreadsheets.
By Simon Key
154 Downloads
10 Downloads in last 6 months
App
Utility

Categorize & Bookmark by File Extensions

EnCase v7 EnScript to define criteria in a condition dialog and then bookmark those files into bookmark subfolders based on extensions
By Lance Mueller
576 Downloads
3 Downloads in last 6 months
App
Artifact

Chrome History Transition Parser

This script is designed to parse the transition field from records in the visits table of the Chrome/Chromium History SQLite database file.
By Simon Key
90 Downloads
18 Downloads in last 6 months
App
Utility

CompoundFileMounter (EnFilter)

This is a File Mounter. Like the V6 file mounter, but for V7 and to mount the files not included in the Evidence processor.
By James Gagen
1129 Downloads
10 Downloads in last 6 months
App
Utility

Comprehensive Case Template

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred Hatzesberger
478 Downloads
7 Downloads in last 6 months
App
Utility

Conditions Launcher

This EnScript will simultaneously run all the conditions from within a specific folder.
By Bartosz Kaczmarek
269 Downloads
3 Downloads in last 6 months
App
Utility

Contextual Data Builder

Importing customer contextual data enables you to integrate your enterprise or third-party database of whitelisted, blacklisted, and watchlisted hashes as you extract, transform, and load data to the an...
By John Lukach
293 Downloads
2 Downloads in last 6 months
App
Utility

Copy Files With Path

This script is designed to copy files (those that are entries) into a nominated folder and/or logical evidence file whilst still preserving each one's path. It will work in triage mode.
By Simon Key
23 Downloads
11 Downloads in last 6 months
App
Utility

Copy Web Browser Files

A simple script used to identify all browser history cookie and cache files in a case and copy them out for further processing using 3rd party tools.
By Paul Eric Tew
2463 Downloads
34 Downloads in last 6 months
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
175 Downloads
6 Downloads in last 6 months
App
Utility

Create Hash Library From Multiple Hash Lists

This script is designed to create/update a hash library using the hash-values contained in one or more tab-delimited hash-list files with CR/LF line-endings.
By Simon Key
106 Downloads
5 Downloads in last 6 months
App
Utility

Create LEF From Folders Using Logical and UNC Path

Creates an EnCase logical evidence file from the contents of one or more folders specified by the user.
By Simon Key
8879 Downloads
7 Downloads in last 6 months
App
Utility

Create Result Set Excluding Unwanted Items

Allows the examiner to create a result-set that excludes unwanted items by way of them having a 'known' hash value or other undesirable properties (name, size, file extension, etc).
By Simon Key
568 Downloads
4 Downloads in last 6 months
App
Utility

Create Result-Set From Responsive Items

This script is designed to create a result-set from both entries and records (artifacts) in a single pass.
By Simon Key
6 Downloads
6 Downloads in last 6 months
App
Utility

Create Result-Sets For Hash-Categories

This script creates result-sets for each of the hash-categories associated with active hash-sets contained in the current case's active hash library/libraries.
By Simon Key
486 Downloads
1 Downloads in last 6 months
App
Utility

Create Result-Sets For Specific Document-Types

This EnScript allows the examiner to create result-sets containing items matching user-specified file-types.
By Simon Key
5529 Downloads
3 Downloads in last 6 months
App
Utility

Credit Card Number Search With Luhn Verification

This script finds credit card numbers which are valid according to the Luhn test.
By Simon Key
389 Downloads
12 Downloads in last 6 months
App
Utility

DFLabs DIM Integration-NG

Created by DFLabs this EnScript enables you to add EnCase evidence and bookmark data to IncMan-NG suite.
By DFLabs SRL
114 Downloads
1 Downloads in last 6 months
App
Utility

DFLabs IncMan Integration-NG

This EnScript allows the user to upload remote node snapshot information from Sweep Enterprise into IncMan-NG the Incident Response Management from DFLabs.
By DFLabs SRL
103 Downloads
1 Downloads in last 6 months
App
Artifact

DS_Store Parser

This script parsers user-specified .DS_Store files created by Mac OS X. One of the most common reasons for wanting to examine these files is to determine the original name and path of files/folders in t...
By Simon Key
7721 Downloads
48 Downloads in last 6 months
App
Utility

Data Extraction Utility

This script is designed to extract one or more blocks of data from the file highlighted in the EnCase GUI.
By Simon Key
6 Downloads
6 Downloads in last 6 months
App
Utility

Deleted SQLite Database File Recovery

This script is designed to recover deleted database files last modified by SQLite version 3.7 or later.
By Simon Key
529 Downloads
20 Downloads in last 6 months
App
Utility

Detect Similar Text Content

The script uses ssdeep to help identify plagiarized content and/or forged documents.
By Simon Key
63 Downloads
4 Downloads in last 6 months
App
Reporting

Drive Space Audit

This EnScript will audit the space of all devices in the case. A table will be built in the bookmarks tab as a summary to show usage of devices in the case.
By James Habben
1288 Downloads
11 Downloads in last 6 months
App
Utility

Dumpkeychain

Dumpkeychain is a Windows utility for decrypting credentials from Mac OS X system and user keychains given the associated system-key-file or keychain-password respectively.
By Simon Key
2440 Downloads
62 Downloads in last 6 months
App
Reporting

E-mail Address Finder

This EnScript will locate, bookmark, and count all unique e-mail addresses in a case.
By Ryan Jay Ollerenshaw
1673 Downloads
18 Downloads in last 6 months
App
Utility

EMLX to EML Mail Converter

Convert Apple Mail EMLX files to EML/MBOX format, which can be then read by other e-mail clients and processed by EnCase.
By Simon Key
1440 Downloads
8 Downloads in last 6 months
App
Utility

EVF2 Evidence-File Segment Extraction Utility

This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.
By Simon Key
51 Downloads
5 Downloads in last 6 months
App
Artifact

EVTX Log Entry Finder

This EnScript bookmarks deleted event-log records from Microsoft Windows EVTX files.
By Simon Key
1042 Downloads
18 Downloads in last 6 months
App
Incident Response

EnCase Integrated Threat Toolkit (EITT)

EnCase Integrated Threat Toolkit (EITT) is a GUI interface and aggregate for a number of EnCase® Enterprise functions and over 15 open source tools designed to assist in DFIR investigations.
By Guidance Software
2156 Downloads
119 Downloads in last 6 months
App
Utility

EnDiff

This script allows an EnScript developer to quickly identify newly introduced classes, methods, and properties in EnCase.
By Simon Key
465 Downloads
0 Downloads in last 6 months
App
Utility

EnParse - 30-Day Free Trial

30-day free trial of EnParse. Find what is in multiple evidence files at once without full export, prepare useful reports for clients.
By Manishaben-Chovatiya
997 Downloads
39 Downloads in last 6 months
App
Utility

EnScript Editor Utilities Plugin

This plugin adds a number of enhancements to the EnScript editor window.
By Simon Key
69 Downloads
1 Downloads in last 6 months
App
General

EnScript Finder

This helpful EnScript lets you search all your downloaded EnScripts and either launch them or open the folder where they were found.
By Guidance Software
662 Downloads
23 Downloads in last 6 months
App
Incident Response

EnScript to send file metadata directly to Splunk

EnCase EnScript to send data directly to SPLUNK for IR, Investigations and Timelines.
By Lance Mueller
672 Downloads
4 Downloads in last 6 months
App
Utility

Encryption Finder

Scans evidence files and devices for known encryption markers.
By Graham Jenkins
649 Downloads
15 Downloads in last 6 months
App
Utility

Endpoint Investigator Network Utility Plugin

This is an Endpoint Investigator Network Utility plugin that allows the examiner to import one or more network-nodes or IP-ranges from a nominated tab-delimited text-file in MS Windows format. It can al...
By Simon Key
1 Downloads
1 Downloads in last 6 months
App
Utility

Endpoint Investigator Snapshot Scanner

This script is designed to validate the prescence of EnCase Endpoint Investigator agents running on multiple endpoints.
By Simon Key
78 Downloads
1 Downloads in last 6 months
App
Utility

Endpoint Security Registry Value Extractor

This script is designed to extract Registry values from one or more result-LEFs created by EnCase Endpoint Security. It  will process all Lx01 and L01 evidence files in the folder specified by the user.
By Simon Key
8 Downloads
0 Downloads in last 6 months
App
Utility

Evidence File Converter

EnScript converts blue-checked EnCase evidence files in the evidence tab to bitstream, dd-type disk images with the option to use the Apple multi-part DMG naming convention.
By Simon Key
1035 Downloads
11 Downloads in last 6 months
App
Artifact

Exif GPS Information Reader

Search for, bookmark, and decode Exif metadata with the option to view GPS coordinates in Google Earth.
By Simon Key
2511 Downloads
18 Downloads in last 6 months
App
Artifact

Exif Viewer Plugin

The is a self-installing application plugin that enables the user to right-click on HEIC and JPEG files in order to view and bookmark the Exif metadata contained therein.
By Simon Key
3194 Downloads
18 Downloads in last 6 months
App
Utility

Export Result-Set to Project VIC

This script is designed to extract a user-specified result-set to a Project VIC data-set.
By Simon Key
109 Downloads
6 Downloads in last 6 months
App
Utility

Export and Bookmark Files Based On Extension

Use this EnScript to extract files into separate folders based on extension. The script will create a tab-delimited index file containing the file-system metadata specified by the examiner. Detects and ...
By Simon Key
4645 Downloads
3 Downloads in last 6 months
App
Utility

Export by Extension

Export files based on extension
By Lance Mueller
887 Downloads
8 Downloads in last 6 months
App
Utility

Extract Block Data Excluding Headers

This script is designed to assist the examiner to extract files from block-based storage structures where each block has a fixed length and is preceded by a header also having a fixed length.
By Simon Key
32 Downloads
0 Downloads in last 6 months
App
Utility

Extract Bookmarked Items With Bookmark Folder Path

This EnScript extracts selected bookmarked items to a nominated folder whilst preserving the bookmark-folder path. The examiner can opt to extract e-mail records as MSG.
By Simon Key
316 Downloads
4 Downloads in last 6 months
App
Utility

Extract Selected Folders in Current View

This script is designed to extract selected folders in the current view to a nominated export folder. Only folders that contain one or more child objects will be processed. Files themselves will not be ...
By Simon Key
52 Downloads
0 Downloads in last 6 months
App
Artifact

Facebook MSG Finder

This Enscript will find FaceBook artifacts in tagged files and create a detailed bookmark.
By Ryan Jay Ollerenshaw
675 Downloads
4 Downloads in last 6 months
App
Utility

File Block Hash Map Analysis

This EnScript uses block-based hash analysis in order to locate and recover one or more target files in circumstances where other methods are likely to fail.
By Simon Key
781 Downloads
2 Downloads in last 6 months
App
Utility

File Description and Extension Tally

Provides a tally of the total number and size of items with a particular extension or description.
By Simon Key
139 Downloads
3 Downloads in last 6 months
App
Utility

File Directory Listing

This EnScript creates a directory listing of all items in the case and makes a .CSV file.
By Joshua Clevenger
1217 Downloads
16 Downloads in last 6 months
App
Utility

File Exporter

This program exports files from the current Entry or Results view based upon user selected criteria.
By Karl Winrow
1351 Downloads
136 Downloads in last 6 months
App
Utility

File Properties

File Properties is a script to easily cut/paste properties on selected files to your investigation report without using bookmarks.
By Guidance Software
514 Downloads
4 Downloads in last 6 months
App
Utility

File Remediator

FileRemediator uses EnCase's built-in wiping function to target and wipe individual files and folders on a local device and then create all the necessary logs.
By Thomas Plunkett
237 Downloads
3 Downloads in last 6 months
App
Utility

FileHash2SQLite

Map File Hashes to Case Numbers and Examiners using an SQLite database
By Greg Farnham
233 Downloads
0 Downloads in last 6 months
App
Utility

Find E-Mail Attachments By Extension

Finds e-mail attachments with file-extensions specified by the examiner. Searches archive attachments (including nested archives) by default.
By Simon Key
1369 Downloads
2 Downloads in last 6 months
App
Utility

Find Entries by Hash Category Plus (EnFilter)

This is a modified version of the v7.08 Filter in EnCase to Find Entries by Hash Category
By James Gagen
5280 Downloads
1 Downloads in last 6 months
App
Artifact

Find IPV4 Addresses

Finds valid unique IPV4 addresses in ANSI/ASCII and Unicode text-formats.
By Simon Key
371 Downloads
9 Downloads in last 6 months
App
Utility

Find Unique Records by Hash (EnFilter)

This is a modified version of the Filter in EnCase to Find Unique Entries by Hash, I have modified the filter to work on records and will match on the MD5 hash.
By James Gagen
973 Downloads
4 Downloads in last 6 months
App
Artifact

Find and Parse Prefetch Files in Unallocated

This EnScript searches unallocated clusters for deleted prefetch data. If found, the EnScript will parse out the name of the executable, last run time and run count.
By Lance Mueller
1397 Downloads
5 Downloads in last 6 months
App
Utility

Flat File Export

This script is designed to copy tagged items into a single output-folder and report-on user-specified properties in the process.
By Simon Key
127 Downloads
1 Downloads in last 6 months
App
Utility

GPT Partition Parser

This EnScript locates and bookmarks GPT partition-table information from devices in the current case.
By Simon Key
297 Downloads
13 Downloads in last 6 months
App
General

Generate ED2K Hash Values

This EnScript will generate ED2K hash values for the purpose of comparing them to some known bad files based on those ED2K hash values.
By Lance Mueller
435 Downloads
12 Downloads in last 6 months
App
Utility

Generic ESE Database Table Parser

This script will attempt to parse one or more tables from Extensible Storage Engine (ESE) database files specified by the user.
By Simon Key
107 Downloads
6 Downloads in last 6 months
App
Utility

Generic SQLite Database Parser

This script allows one or more pre-defined queries to be run across SQLite database files with names matching those specified.
By Simon Key
432 Downloads
18 Downloads in last 6 months
App
Utility

Generic XML Viewer Plugin

Use an extended context-menu option to view and bookmark data contained within XML files.
By Simon Key
489 Downloads
43 Downloads in last 6 months
App
Artifact

GigaTribe Download State Information Finder

The GigaTribe Download State Information Finder searches for information stored whilst a download is progressing on a GigaTribe user's computer.
By Simon Key
6070 Downloads
0 Downloads in last 6 months
App
Artifact

GigaTribe V3 Chat Parser

Locates and parses chat records originating from GigaTribe V3 chat-log files.
By Simon Key
675 Downloads
2 Downloads in last 6 months
App
Utility

HEIC Image Viewer Plugin

This plugin is designed to view the HEIC file currently highlighted in the GUI, including Exif metadata. GPS coordinates can be displayed using Google Maps.
By Simon Key
399 Downloads
134 Downloads in last 6 months
App
Utility

HEIC, KTX and WebP Image File Converter

This script is designed to convert KTX files to PNG; also, HEIC and WebP files to JPG.
By Simon Key
369 Downloads
26 Downloads in last 6 months
App
Artifact

HFS Journal Parser

HFS Journal Parser finds and parses Catalog file record in HFS+/HFSX .journal file.
By Teru Yamazaki
1017 Downloads
5 Downloads in last 6 months
App
Incident Response

Hacker Offender

This app is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important b...
By James Habben
1302 Downloads
12 Downloads in last 6 months
App
Utility

Has Attachment by Category (EnFilter)

This filter works on Records in email and will return Records with Attachments that match the selected category. The Source of the filter can be viewed to see the changes made.
By James Gagen
597 Downloads
0 Downloads in last 6 months
App
Utility

Hash Calculator Plugin

This EnScript plugin calculates a number of different hash values, either for complete files, or for a range of data. Hash values can be submitted to Virus Total automatically.
By Simon Key
590 Downloads
12 Downloads in last 6 months
App
Utility

Hash Library Viewer

This script allows the examiner to view, bookmark and extract the contents of the current case's hash library.
By Simon Key
98 Downloads
1 Downloads in last 6 months
App
Utility

Hash List Builder

Generate a matching file set for blue checked items that have had their MD5 hashes processed for import into EnCase Endpoint Security.
By John Lukach
977 Downloads
1 Downloads in last 6 months
App
Utility

Hash List Importer

This EnScript is designed to create a new EnCase hash-library from a list of hashes in tab-delimited format, or from an NSRL hash-set.
By Simon Key
2478 Downloads
30 Downloads in last 6 months
App
Artifact

Identify and Extract Date & Time Changes

EnScript to identify 4616 events (date and time change) that exceed a user specified number of minutes allowing the user to quickly discard Time Server syncs.
By Lynette Goh
350 Downloads
5 Downloads in last 6 months
App
Utility

Index and Extract Mounted Archives

This script is designed to index mounted archive files and their contents relative to the case as a whole; also, to filter and extract this data into a logical evidence file (LEF) so it can be viewed as...
By Simon Key
32 Downloads
1 Downloads in last 6 months
App
Reporting

Inventory

Hash and parse all your case files to create an inventory of your cases.
By James Habben
506 Downloads
2 Downloads in last 6 months
App
Utility

Item Ancestor Resolution

This script allows the examiner to identify the ancestors (emails, etc.) of items in a given result-set so they can be bookmarked and/or extracted.
By Simon Key
44 Downloads
3 Downloads in last 6 months
App
Utility

JPEG File Exporter

This app will export tagged jpeg image files and add the jpeg extension to the exported file.
By Ryan Jay Ollerenshaw
994 Downloads
5 Downloads in last 6 months
App
Artifact

JPEGSnoop

View EXIF metadata found in JPEG images within EnCase-- no need for a third-party application to view GPS coordinates, camera make and model, etc.
By Casimer Szyper
2430 Downloads
124 Downloads in last 6 months
App
Utility

JSON Viewer Plugin

This EnScript plugin allows the user to view and bookmark application data stored in JavaScript Object Notation JSON files.
By Simon Key
5388 Downloads
11 Downloads in last 6 months
App
Reporting

Keyword Search and Proximity Extract

Keyword search and proximity extract is designed to do Fuzzy string extraction by grouping relevant string fragments together.
By Jacques Malan
402 Downloads
1 Downloads in last 6 months
App
Utility

Keyword Search with Range Bookmarking

This EnScript allows the user to perform a raw or transcript keyword search of entries and records, and bookmark a user-specified range of bytes before and after each search-hit.
By Simon Key
1587 Downloads
4 Downloads in last 6 months
App
Utility

Known _met Search and Parse

This EnScript will search all tagged items for known.met record fragments from eMule 0.5.
By William Lynn
786 Downloads
3 Downloads in last 6 months
App
Artifact

Link File & Jump List Parser

This EnScript parses recent file-system activity from Microsoft Windows shortcut-link and jump-list files.
By Simon Key
12388 Downloads
45 Downloads in last 6 months
App
Artifact

Logon Banner and Text (from SYSTEM registry hive file)

This is an EnScript that extracts and bookmarks the local logon banner and logon text. Verifies corporate policies, such as "further used denotes no expectation of privacy".
By Thomas Hilk
153 Downloads
2 Downloads in last 6 months
App
Utility

Low Hanging Fruit

Low Hanging Fruit Please extracts file name path and MD5 to a SQLite database that also contains an Item Moniker data for each entry.
By John Lukach
1261 Downloads
3 Downloads in last 6 months
App
Utility

MACE Timeline

This script will provide a clean view of computer activity by creating a chronological report of file-system metadata.
By James Habben
1888 Downloads
11 Downloads in last 6 months
App
General

MFT Date Comparator

This script is designed to identify potentially suspect files by analyzing timestamp differences in the NTFS MFT standard information and filename attributes of each file.
By Simon Key
861 Downloads
6 Downloads in last 6 months
App
Utility

MFT Record Bookmark Plugin

This plugin has been designed as primarily as a classroom aid to assist in the examination of MFT records and their component sections (MFT-record attributes).
By Simon Key
97 Downloads
1 Downloads in last 6 months
App
Artifact

MP4, MOV, M4A and HEIC File Carver

This EnScript is designed to carve MP4, MOV, M4A and HEIC files as defined by the ISO base media file format, ISO/IEC 14496-12.
By Simon Key
220 Downloads
15 Downloads in last 6 months
App
Artifact

Mac OS X AutoLogin Password Decoder

This is a small utility that will decrypt the user-password for a user set to to automatically log-in to a Mac OS X system.
By Simon Key
7386 Downloads
21 Downloads in last 6 months
App
Artifact

Mac OS X BinaryCookie File Parser

This script parsers user-specified Mac OS X binary cookie files. Output is by way of bookmarks and a tab-delimited spreadsheet file.
By Simon Key
907 Downloads
4 Downloads in last 6 months
App
Artifact

Mac OS X Log Entry Finder

This script searches user-specified Mac OS X plaintext log-files for log-entries containing one or more keywords.
By Simon Key
1024 Downloads
2 Downloads in last 6 months
App
Artifact

Mac OS X OpenBSM Audit Log Parser

This EnScript parses Mac OS X OpenBSM audit-logs, which although deprecated, may still contain details of events relating to audit-control, user-logon and group/user creation/modification/deletion.
By Simon Key
603 Downloads
10 Downloads in last 6 months
App
Artifact

Mac OS X Outlook Mail Converter

This EnScript is designed to convert Microsoft Outlook *.olk14MsgSource and *.olk15MsgSource message-files to EML files and a logical evidence file that can be processed by EnCase.
By Simon Key
6629 Downloads
13 Downloads in last 6 months
App
Artifact

Mac OS X Previous Versions Chunk Storage Parser

Certain Mac OS X applications support the storage of previous versions of files. This EnScript will recover those files and write them to a logical evidence file so that they can be examined.
By Simon Key
8511 Downloads
2 Downloads in last 6 months
App
Artifact

Mac OS X QuickLook Thumbcache Parser

Extracts thumbnail images from Mac OS X QuickLook thumbnail cache files.
By Simon Key
6759 Downloads
26 Downloads in last 6 months
App
Artifact

Mac OS X Time Machine Parser

This EnScript allows the examiner to resolve the backup paths of blue-checked files in a Mac OS X Time Machine volume without having to make a copy of the volume available to a Macintosh computer.
By Simon Key
6515 Downloads
10 Downloads in last 6 months
App
Artifact

MacOS Var-Folders Name Converter

This script decodes the UUID and UID from the names of sub-folders under /private/var/folders in MacOS.
By Simon Key
41 Downloads
3 Downloads in last 6 months
App
Reporting

Manfreds Berichtsvorlage (NSRL 2.49)

Dieses umfassende Berichtstemplate kann als Basis für Ihre eigene Vorlage dienen. Sie ist sehr umfangreich und enthält Bookmark-Verzeichnisse für die häufigsten Topics Ihrer Unter...
By Manfred Hatzesberger
63 Downloads
0 Downloads in last 6 months
App
Reporting

Manfred's Comprehensive Case Template

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred Hatzesberger
423 Downloads
3 Downloads in last 6 months
App
Reporting

Manfred's Comprehensive Case Template (NSRL 2.49)

This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred Hatzesberger
161 Downloads
0 Downloads in last 6 months
App
Utility

Matching File Analysis

This script is designed to locate one or more files from a known set. It works with records as well as entries.
By Simon Key
86 Downloads
6 Downloads in last 6 months
App
Artifact

Matching File Creator

This EnScript allows the examiner to tag items of interest and export a tab-delimited CSV file with the name, MD5 hash value, and logical size of the selected tags.
By Joseph Gaval
117 Downloads
3 Downloads in last 6 months
App
Incident Response

MemoryAnalysis

Process Windows, Linux, and OS X memory images and find running processes, parents, create dates, and more.
By Casimer Szyper
3634 Downloads
18 Downloads in last 6 months
App
Artifact

Messenger Protocol Fragments

A script to search for protocol fragments of MSN Messenger (or MSN Live Messenger) chat.
By Paul Eric Tew
1049 Downloads
0 Downloads in last 6 months
App
Utility

Microsoft Word ASD Document Viewer

This EnScript plugin allows Autosave Document (ASD) files to be extracted and opened with Microsoft Word.
By Simon Key
687 Downloads
56 Downloads in last 6 months
App
Utility

Multiple Date Range Filter - Entries Only (EnFilter)

This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.
By Simon Key
191 Downloads
7 Downloads in last 6 months
App
Incident Response

NETSH Packet Capture

NETSH Packet Capture allows network traffic sniffing on Microsoft Windows 7 and newer machines using natively installed NETSH with a Servlet with Remediation from EnCase Endpoint Security.
By John Lukach
331 Downloads
0 Downloads in last 6 months
App
Artifact

NTFS Index Buffer Reader

This script is designed to parse the contents of NTFS index buffers.
By Simon Key
84 Downloads
1 Downloads in last 6 months
App
Artifact

NTFS $UsnJrnl Parser

This EnScript allows the user to parse valuable information logging NT file-system operations including time files that have been created, deleted and renamed.
By Simon Key
15615 Downloads
50 Downloads in last 6 months
App
Reporting

NirSoft ESEDatabaseView Plugin

This plugin provides an interface to the NirSoft ESEDatabaseView executable so as to provide centralized reporting of Extensible Storage Engine (ESE, aka Jet Blue) databases through the use of bookmarks...
By John Lukach
646 Downloads
1 Downloads in last 6 months
App
Artifact

Nokia Lumia 610 SMS

This script will parse out SMS from a Nokia Lumia 610 mobile phone binary dump.
By Karl Winrow
360 Downloads
1 Downloads in last 6 months
App
Utility

Office 2007 Metadata Processor

Reads internal document metadata from Microsoft Office 2007 and later documents.
By Simon Key
161 Downloads
8 Downloads in last 6 months
App
Utility

Office 97-2003 Metadata Processor

This EnScript parses metadata from Microsoft Office documents of the format used prior to Office 2007.
By Simon Key
5389 Downloads
3 Downloads in last 6 months
App
Utility

OfficeRecovery 2013 Ultimate - Trial Version

Repair and examine the contents of corrupted files in collected evidence. Word Excel digital images and dozens of other formats are supported.
By Recoveronix Software
589 Downloads
8 Downloads in last 6 months
App
General

Old School Search Hit Viewer

The Old School Search Hit Viewer will display search hits in a table; the hits are highlighted with a user-specified amount of context visible around the search hit.
By Kimberly Stone
401 Downloads
2 Downloads in last 6 months
App
Artifact

Outlook PST & OST Deleted File Recovery

This script is designed to recover deleted PST/OST files.
By Simon Key
422 Downloads
9 Downloads in last 6 months
App
Artifact

PDF File Finder

This script is designed to find deleted PDF files using the header, '%PDF-#.#' (GREP), and the footer, '%%EOF'.
By Simon Key
138 Downloads
3 Downloads in last 6 months
App
Artifact

PE Examiner

Parse single or multiple .EXE files and extract all information encoded into the PE (COFF) header. Also works on memory dumps or unallocated space.
By Casimer Szyper
1131 Downloads
7 Downloads in last 6 months
App
Artifact

Parse $I $Recycle.Bin Files

This script parses the original path, logical size, and date-deleted information from $I $Recycle.Bin files.
By Simon Key
387 Downloads
47 Downloads in last 6 months
App
Artifact

Parse MemProcFS UserAssist Files

This script parses UserAssist Registry values made available by the MemProcFS memory anaysis tool.
By Simon Key
14 Downloads
1 Downloads in last 6 months
App
Artifact

Parse PE Executable for String Resources

This EnScript specifically targets a resource known as "VS_VERSION_INFO" which contains metadata about the specific executable, including the manufacturer name, original filename, version info and ot...
By Lance Mueller
582 Downloads
1 Downloads in last 6 months
App
Artifact

Parse Wireless Access Points in Vista, Win7, & Win8

EnScript to extract & display information about wireless networks that have been connected to. Supports analysis of Windows Vista, 7 & 8.
By Lance Mueller
1133 Downloads
2 Downloads in last 6 months
App
Artifact

Parse the setupapi.dev.log of USBs

This EnScript will parse the setupapi.dev.log (Windows Vista/7) for USB connected events and display this in the console tab
By Jordan venderBuhs
2389 Downloads
13 Downloads in last 6 months
App
Artifact

Plist Parser

This EnScript allows the examiner to bookmark and parse multiple Apple property-list (plist) files.
By Simon Key
7576 Downloads
46 Downloads in last 6 months
App
Artifact

Plist Viewer Plugin

Use an extended context-menu option to bookmark, decode and extract data contained in Apple property list (.plist) files; automatically view plist files embedded in other plist files.
By Simon Key
8778 Downloads
27 Downloads in last 6 months
App
Utility

Pre-Evidence Processing Tasks

Quickly gather needed information before Evidence Processing.
By Tim Taylor
1292 Downloads
3 Downloads in last 6 months
App
Artifact

Prefetch Dump (PFDump)

This EnScript parses application usage information stored in Microsoft Windows prefetch files. This version supports Window XP through Windows 10 and includes a run-count and one or more last-run dates.
By Simon Key
9154 Downloads
17 Downloads in last 6 months
App
Artifact

Prefetch File Recovery

This script is designed to find deleted prefetch files in both compressed and uncompressed formats.
By Simon Key
196 Downloads
12 Downloads in last 6 months
App
Artifact

Print Spool - SHD & SPL Parser

This EnScript extracts and bookmarks the admin data from the printer shadow files and bookmarks EML print data from the printer spool files.
By Lynette Goh
1622 Downloads
45 Downloads in last 6 months
App
Utility

Quick Base64 Decoder

The script is designed to quickly decode Base64-encoded data.
By Simon Key
77 Downloads
1 Downloads in last 6 months
App
Utility

Quick Bookmark Folders

Quickly make bookmark folders for each device in your case. Automate making bookmark folders and subfolders for each device in your case. Along with bookmarking each device and each volume in the cas...
By Brett Liddicoet
275 Downloads
0 Downloads in last 6 months
App
Utility

Quick Registry Browser

Allows the examiner to quickly view data in the highlighted Registry file.
By Simon Key
224 Downloads
15 Downloads in last 6 months
App
Utility

Quick View OST and PST Files and Extract to MSG

This script will attempt to mount the highlighted PST/OST file and display its contents so that messages can be previewed and/or extracted to *.MSG files.
By Simon Key
221 Downloads
11 Downloads in last 6 months
App
Artifact

RDP Cached Bitmap Extractor

This EnScript parses bitmap data cached by the Microsoft Windows Terminal Services (Remote Desktop Protocol - RDP) client.
By Simon Key
2361 Downloads
94 Downloads in last 6 months
App
Utility

Record LEF to Entry LEF Converter

This script converts logical evidence files (LEFs) containing records to ones containing entries. It may prove useful when working with applications that can't open record-LEFs.
By Simon Key
1 Downloads
1 Downloads in last 6 months
App
Utility

Record to Excel

Use Record2Excel to export records to Microsoft Excel. This script works with any records list which can be tagged. It will export all record properties (fields values) to Excel. Requires Microsoft E...
By Guidance Software
486 Downloads
2 Downloads in last 6 months
App
Utility

RegRipper Launcher

This EnScript runs RegRipper directly from EnCase. Automatically bookmark results or load them in a Microsoft Word / Open Office document. Requires RegRipper.
By Guidance Software
2792 Downloads
215 Downloads in last 6 months
App
Artifact

Registry Files Exporter

Export Windows Registry files from Windows OS
By Isaac Lee
1496 Downloads
7 Downloads in last 6 months
App
Utility

Registry Viewer Plugin

This script allows the examiner to to use a right-click context-menu-option or keyboard shortcut to view Registry hive files (SYSTEM, SOFTWARE, SECURITY, SAM, NTUSER,DAT, etc.).
By Simon Key
853 Downloads
31 Downloads in last 6 months
App
Utility

Remote Agent Deployment

This EnScript allows the user to remotely deploy agents across their enterprise.
By Guidance Software
962 Downloads
13 Downloads in last 6 months
App
Utility

Retention Analyzer

Calculates the volume based on logical size in bytes per month based on MAC times for an eight year time frame that are not tagged as 'Known'.
By John Lukach
555 Downloads
1 Downloads in last 6 months
App
Utility

Run Condition As Filter

This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that...
By Simon Key
175 Downloads
4 Downloads in last 6 months
App
Artifact

SEEB USB - Mounted Devices Report

Script will create detailed Excel, CSV, console & bookmark reports on Mounted, USB, portable devices found in the registry and setupapi logs.
By Brian Jones
3772 Downloads
16 Downloads in last 6 months
App
Utility

SQLite Blob Extractor

This script is designed to extract BLOB-data from SQLite database files.
By Simon Key
1158 Downloads
28 Downloads in last 6 months
App
Artifact

SQLite Free-Page Parser

This EnScript is designed to read and decode unused pages from SQLite database files, pages that may contain deleted data.
By Simon Key
248 Downloads
10 Downloads in last 6 months
App
Utility

SQLiteQuery

Allows SQL querying of all SQLite databases from within EnCase.
By Doug Collins
1869 Downloads
21 Downloads in last 6 months
App
Artifact

SRUM Database Parser

This EnScript parses the System Resource Usage Monitor (SRUM) ESE database, SRUDB.dat, which is located in the %SYSTEMROOT%\System32\sru folder
By Simon Key
447 Downloads
25 Downloads in last 6 months
App
Artifact

Safari Evidence Processor Module

This is a self-installing Evidence Processor module that parses macOS Safari web-browser data.
By Simon Key
5581 Downloads
1 Downloads in last 6 months
App
Utility

Safari Form Values Decryptor For Windows (SFVDWIN)

Use this tool to extract the autofill form values from the encrypted Form Values plist that Safari uses. It requires the user's keychain and associated password to decrypt the data.
By Simon Key
5814 Downloads
2 Downloads in last 6 months
App
Artifact

SafariTabs.db Parser

This script parses the records from the bookmarks table in SafariTabs.db SQLite database files.
By Simon Key
205 Downloads
17 Downloads in last 6 months
App
Artifact

Search For Valid Bitcoin Addresses

This EnScript searches entries and records for valid BitCoin addresses.
By Simon Key
688 Downloads
27 Downloads in last 6 months
App
Utility

Search Hits Preview

This EnScript creates a search hit preview file that can be imported into Excel.
By Ryan Jay Ollerenshaw
359 Downloads
0 Downloads in last 6 months
App
Utility

Search and Bookmark Specific Data Types

This EnScript allows the examiner to search for one or more keywords and bookmark the resultant search-hits using specific data-types (picture, ROT13, low ASCII, hex, etc).
By Simon Key
6874 Downloads
1 Downloads in last 6 months
App
Utility

Serialized Property Storage (SPS) Reader

This script decodes one or more values stored in Serialized Property Storage (SPS) format.
By Simon Key
27 Downloads
1 Downloads in last 6 months
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
911 Downloads
37 Downloads in last 6 months
App
Artifact

ShimCache Parser

This EnScript mounts all SYSTEM registries found in the current evidence, parses the Application Compatility Cache registry key and output the result onto the console, bookmarks and tab-delimited CSV...
By Isaac Lee
1293 Downloads
13 Downloads in last 6 months
App
Utility

Show or Hide Items with a Selected Tag

This Filter will enable the user to show or hide items based on the tag status.
By James Gagen
346 Downloads
1 Downloads in last 6 months
App
Utility

SimpleSearch

This EnScript searches for keywords in every open case and bookmarks the files.
By Iosif Dan Laszlo
729 Downloads
4 Downloads in last 6 months
App
Artifact

Skype Chatsync IP Addresses

This EnScript will parse out the IP addresses from Skype chatsync files and write them to the console as well as bookmark the artifacts.
By Lance Mueller
869 Downloads
2 Downloads in last 6 months
App
Artifact

Skype S4L Database Parser

This script parses cached messages and profile-information from the 'messagesv12' and 'profilecachev8' tables of Skype 's4l-*' SQLite-database files.
By Simon Key
179 Downloads
18 Downloads in last 6 months
App
Utility

Startup Manager

Startup Manager lets you select EnScripts and EnPacks to start automatically when EnCase starts.
By Carmona Pereyra
706 Downloads
8 Downloads in last 6 months
App
Artifact

SysTools Outlook Exporter v2.2 (Demo Version)

SysTools Outlook Exporter is an EnCase plugin which allows you to export email evidence found with EnCase forensic to an Outlook (.pst) file WITHOUT Outlook.
By SysTools Software
311 Downloads
5 Downloads in last 6 months
App
Utility

System Snap Shot

System Snap Shot collects information regarding software used, system settings, user names, last login information, and connections made that would allow data to be moved off the machine.
By Jordan venderBuhs
221 Downloads
6 Downloads in last 6 months
App
Incident Response

Team Cymru Malware Hash Registry Search

Review evidence files to assist in learning if any might correspond to malware.
By Jeffrey Savoy
949 Downloads
4 Downloads in last 6 months
App
Incident Response

ThreatAnalyzer Automation Toolkit

ThreatAnalyzer provides best in class dynamic file analysis which enables the investigator to quickly determine any behaviors a given file sample may exhibit.
By Cisco Systems
302 Downloads
4 Downloads in last 6 months
App
Utility

ThreatGRID Malware Analysis and Intelligence for EnCase

Threat Grid Malware Analysis and Intelligence for EnCase® provides direct integration with Threat Grid, the first unified malware analysis and threat intelligence solution. Threat Grid provides i...
By Cisco Systems
807 Downloads
12 Downloads in last 6 months
App
Artifact

Thumbcache Parser

This script parses the thumbcache_*.db files used to store thumbnail images generated as a result of viewing pictures in Windows Explorer under Windows Vista, 7, 8/8.1 and 10.
By Simon Key
932 Downloads
30 Downloads in last 6 months
App
Artifact

Timezone Info Prior to Processing

This EnScript allows the Examiner to determine the timezone settings of each device prior to running the EnCase Evidence Processor.
By Jamey Tubbs
1889 Downloads
13 Downloads in last 6 months
App
Utility

UNC Path Preview and Acquire

Use this script to preview the files and folders on a remote share using a UNC path. Specific user credentials can be supplied where necessary.
By Simon Key
6680 Downloads
1 Downloads in last 6 months
App
Artifact

URL and Windows File-Path Finder

This script is designed to locate URLs and Windows file-paths containing one or more keywords.
By Simon Key
11 Downloads
5 Downloads in last 6 months
App
Reporting

Umfassende Berichtsvorlage

Dieses umfassende Berichtstemplate kann als Basis für Ihre eigene Vorlage dienen. Sie ist sehr umfangreich und enthält Bookmark-Verzeichnisse für die häufigsten Topics Ihrer Unter...
By Manfred Hatzesberger
99 Downloads
0 Downloads in last 6 months
App
Utility

Unmount Compound File

This will add a right click option to unmount a compound file. This can be used to try a different password or just get rid of the additional items.
By James Habben
816 Downloads
1 Downloads in last 6 months
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
667 Downloads
33 Downloads in last 6 months
App
Utility

UsnJrnl Record Keyword Search and Export to CSV

This script will prompt for a keyword from the user then search selected tagged items for that keyword.
By William Lynn
979 Downloads
3 Downloads in last 6 months
App
Utility

Utilities (aka Last Folder) Plugin

This is a utility plugin making it easier to open folders used for output, delete EnScript configuration files, create index queries, and select emails containing notable attachments (or vice versa).
By Simon Key
6548 Downloads
2 Downloads in last 6 months
App
Artifact

VSS Examiner

Quickly and easily identify and preserve data of interest in Microsoft Windows volume shadow copies.
By Simon-Key
14586 Downloads
23 Downloads in last 6 months
App
Utility

Video Split

This EnScript uses ffmpeg.exe to create thumbnail images from selected movies. The images are automatically made into a LEF file which can then be added to a case.
By Simon Key
407 Downloads
3 Downloads in last 6 months
App
Utility

View SQLite With WAL Plugin

Allows SQLite database files to be opened in conjunction with any write-ahead log (WAL) file.
By Simon Key
423 Downloads
14 Downloads in last 6 months
App
Utility

VirusShare Hash Library Creator

This script creates an EnCase hash-library from the VirusShare hash-lists available to download from https://virusshare.com.
By Simon Key
159 Downloads
9 Downloads in last 6 months
App
Incident Response

VirusShare.com Contextual Data

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach
543 Downloads
2 Downloads in last 6 months
App
Incident Response

VirusShare.com Hash Library

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach
1116 Downloads
24 Downloads in last 6 months
App
Incident Response

VirusShare.com Hash Sets

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach
953 Downloads
11 Downloads in last 6 months
App
Incident Response

VirusTotal Bookmark

This EnScript provides a quick automated way to tag files and then automatically submit their hash values to Virus Total for analyzing.
By Lance Mueller
567 Downloads
7 Downloads in last 6 months
App
Utility

Volatility Plugin

This EnScript is designed to facilitate easier use of Volatility in EnCase. It can be configured for any number of Volatility plugins and supports multithreading.
By Simon Key
279 Downloads
7 Downloads in last 6 months
App
Incident Response

Volatility Reporting Plugin

Volatility 2.4 Standalone executable integration with EnCase for centralized reporting of memory forensic results through the use of bookmarks.
By John Lukach
2056 Downloads
5 Downloads in last 6 months
App
Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9448 Downloads
62 Downloads in last 6 months
App
Artifact

Webpage Rebuilder

This script will export and rebuild tagged records into a local file to view with a browser.
By James Habben
1961 Downloads
4 Downloads in last 6 months
App
General

What's New In App Central

This EnScript will find any new or updated EnScripts at EnCase App Central.
By Guidance Software
562 Downloads
6 Downloads in last 6 months
App
Artifact

Windows 8 and 8.1 Mail Finder

Finds deleted e-mail messages originating from the Windows 8 and 8.1 Mail applications.
By Simon Key
476 Downloads
1 Downloads in last 6 months
App
Artifact

Windows Device Properties Parser

This script parses extended device-property information from Microsoft Windows SYSTEM Registry hive files.
By Simon Key
310 Downloads
9 Downloads in last 6 months
App
Utility

Windows Drive Letter Assignments

This EnScript is designed to identify Windows drive-letter assignments for volumes in the current case that have been identified as originating from fixed disks.
By Simon Key
9315 Downloads
10 Downloads in last 6 months
App
Artifact

Windows Event Log Export

This EnScript searches for pre-vista event log files (*.evt) and checks if they are flagged dirty.
By James Habben
1927 Downloads
9 Downloads in last 6 months
App
Utility

Windows Executable Packer Detection

Analyze Windows executables to detect known executable file-packers.
By James Habben
3299 Downloads
107 Downloads in last 6 months
App
Artifact

Windows Installed Application Parser

Parses installed-application information and displays it in a manner similar to Microsoft Windows.
By Simon Key
356 Downloads
11 Downloads in last 6 months
App
Artifact

Windows Live Mail to MBOX Converter

This script converts a Windows Live Mail e-mail store to a sequence of MBOX files in a logical evidence file that can be added to a case and processed in the usual way.
By Simon Key
5760 Downloads
0 Downloads in last 6 months
App
Artifact

Windows Local-User Login-Count Decoder

This script decodes the login-count for *local* user accounts stored in SAM Registry hive files in the current case.
By Simon Key
132 Downloads
8 Downloads in last 6 months
App
Artifact

Windows NTUSER.DAT Drive Letter Mappings

This is a simple script that extracts the drive-letter mappings from HKCU\Network.
By Simon Key
174 Downloads
4 Downloads in last 6 months
App
Artifact

Windows Network Profile Reader

This script parses network-profile information from the SOFTWARE Registry hive.
By Simon Key
156 Downloads
4 Downloads in last 6 months
App
Utility

Windows Quick View Plugin

This is an EnScript plugin that allows the examiner to quickly open evidence-items and embedded data using the default Windows viewer.
By Simon Key
718 Downloads
9 Downloads in last 6 months
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents.
By Simon Key
208 Downloads
5 Downloads in last 6 months
App
Incident Response

Yara Scanner

The script is designed as an aid to scanning multiple files using one or more *.yar or *.yara files each containing one or more YARA rules.
By Simon Key
306 Downloads
54 Downloads in last 6 months
App
Utility

ZIP Index Entry Finder

This EnScript will search for, and bookmark, ZIP-file index-entries. It was designed for the recovery of data from deleted ZIP files (including MS Word *.DOCX files) that can't otherwise be recovered, e...
By Simon Key
557 Downloads
13 Downloads in last 6 months
App
Artifact

Zone-ID Parser

This script is designed to parse ‘Zone.Identifier’ alternate data streams, which are sometimes referred to as ‘Marks of the Web’ and can help to identify files downloaded from the Internet.
By Simon Key
117 Downloads
3 Downloads in last 6 months
App
Artifact

eMule User Hash and Clients.met Parser

This script parses eMule preferences.dat, client.met, and client.met.bak files.
By Simon Key
16 Downloads
4 Downloads in last 6 months
App
Artifact

eMule and eDonkey Known.met File Parser

This script will parse all eDonkey & eMule 'known.met' or 'known.met.bak' files or those that have been selected in the current view.
By Simon Key
226 Downloads
21 Downloads in last 6 months
App
Artifact

iChat Message Parser

This EnScript parses *.ichat messages of the type created by the Mac OS X Messages application.
By Simon Key
1010 Downloads
41 Downloads in last 6 months
App
Artifact

macOS Bookmark Data Decoder

This script decodes macOS bookmark datastreams of the type found in macOS alias files and property-list files.
By Simon Key
45 Downloads
1 Downloads in last 6 months
App