This app is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important by the attacker. It utilizes the EnCase Servlet to communicate with the OS of a live host through the EnScript API. It compares the filtered list with a full list discovered directly from the $MFT by EnCase. This is called Out-Of-Band processing. Name was derived from a very well-known rootkit called Hacker Defender, but will detect hidden files from any file system based rootkit.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training