Extract Block Data Excluding Headers
This script is designed to assist the examiner to extract files from block-based storage structures where each block has a fixed length and is preceded by a header also having a fixed length.
The examiner should identify the data that he/she wishes to extract, calculate the offset from the start of the data to the first block-header, highlight the entire length of data (including any headers) and then run the script.
The script will identify the offset and length of the highlighted data and then present a dialog, which will allow the examiner to specify a bookmark-folder name, output path, block-length, header-length and the offset from the start of the data to the first header.
The script will extract and bookmark the specifed data skipping over any headers in the process.
Note that the data highlighted by the examiner should never start on a block-header. In addition to that, for reasons that should be obvious, the offset to the first block-header must never be greater than the length of a block.
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now