This script decodes one or more values stored in Serialized Property Storage (SPS) format.

To use, highlight the first '1SPS' signature in the SPS stream and run the script.

The 'ignore property store size option' relates to the fact that, according to the Microsoft definition, a serialized property store container should be preceded by the total size of the property storage objects that it contains. This notwithstanding, in some cases the size stored may be zero even though it's not. This option instructs the script to ignore a zero size and proceed regardless.

The script will use the definitions in Microsoft's propkey.h header file in order to identify the significance of SPS values that have a numeric identifier. This notwithstanding, a substantial number of property identifiers are as yet unknown.

For additional information, please see the following Twitter post:

• https://twitter.com/SimonDCKey/status/715902453678354432

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training