EnCase App Central
Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.Become a Developer
Parse PE Executable for String Resources
Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise. The information in this resource is what is displayed if/when you right-click on an executable in Windows and choose the "details" tab. Looking at this information, while not authoritative or definitive, can commonly give you some initial hints about the legitimacy of a file and/or if it has been renamed from when it was originally compiled. The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark).
EnCase Forensic 7.09