Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Parse PE Executable for String Resources

Most executables contain a resource known as "VS_VERSION_INFO". This structure contains metadata about the specific executable, including the manufacturer name, original filename, version info and other useful information. This EnScript specifically targets this resource instead of just running a "strings" search across the entire executable, which often leads to lots of noise. The information in this resource is what is displayed if/when you right-click on an executable in Windows and choose the "details" tab. Looking at this information, while not authoritative or definitive, can commonly give you some initial hints about the legitimacy of a file and/or if it has been renamed from when it was originally compiled. The EnScript is designed to be able to check any executable(s) and then run the EnScript. It will then print out the information from this resource to the console tab (and make a bookmark).

http://www.forensickb.com/2014/02/encase-enscript-to-parse-out.html

Download Now

Download Now


FAQ

Version: 1
Tested with:
EnCase Forensic 7.09
Developer: Lance Mueller
Category: Artifact

581 Downloads
2 Downloads in last 6 months