This EnScript submits the hash value of files tagged with the 'VirusTotal' label via a public API to Virus Total to see if it is known as malware.
Virus Total is a free service that analyzes suspicious files and URLs and acts as an information aggregator. The results are the output of different antivirus engines, websites scanners, file and URL analysis tools and user contributions.
Virus Total provides a free public API via their website: www.VirusTotal.com
Sign up to be a member of the VirusTotal ‘community’ to obtain their public API. The API can be found under the profile menu once you’ve confirmed your new account.
Once you’ve downloaded your EnScript and obtained the Virus Total API, you’ll need to create a new tag within EnCase and label it ‘VirusTotal.’ With these items in place you can now tag potentially suspicious items within your case using the ‘VirusTotal’ tag.
Having tagged these items, run the script from the EnScript toolbar menu. The initial screen will ask for your Virus Total API key and the bookmark folder you’d like the info stored in.
With the public API you are able to submit up to (4) four requests a minute. If more than four items are submitted the EnScript will go into a wait loop and then resubmit once the minute limit has expired.
It will then send the hash file to Virus Total to see if that hash value is known. If the file with that hash value was previously analyzed, then the VT score is obtained and noted in the bookmark under the console tab.
A zero score would signify that none of the AV engines identified it as malware/dangerous, while any other positive number would signify the number of AV engines that identified it as bad. The EnScript does not send or transmit any data from within the file(s) you have tagged; it only sends the hash value. Therefore, if the score comes back as zero, that does not necessarily mean the file is safe. It just means that the file with that hash value has never been previously analyzed or it was analyzed before and it is just not detected as malware/dangerous.
The intended use of this EnScript is to identify hash values that have a POSITIVE score to draw attention to those files that should be immediately looked at further rather than disregarding those that come back with a zero score.
Customized EnCase EnScript development (v6 & v7) Customized Forensic Automation / Workflow Efficiency