The script is designed as an aid to scanning multiple files using one or more
*.yara files each containing one or more YARA rules.
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
The script provides the option to scan selected items in the current user view (does not work with records), all and tagged items.
An internal condition can be used to further control processing. For example, it can be used to target
Each file is sent to the .NET API as a memory stream. The results are converted to JSON before being streamed back to the EnScript for interpretation and bookmarking.
Due to this mode of operation, the script will not attempt to process deleted files or those larger than 2GB in size.
Accordingly, the script is not suited to processing RAM dumps, pagefile.sys or hiberfil.sys.
The fast scanning option makes scanning a little faster by avoiding multiple matches of the same string when not necessary. Once a string has been found in a file it’s subsequently ignored, which will result in a single match for the string, even if it appears multiple times in the scanned data.
Output is by way of the console, bookmarks, and optionally, JSON files written to a nominated export folder.
It should be noted that data found as a result of string searching will be Base64 encoded in each JSON output file.
This script was developed for use in EnCase training. For more details, please click the following link:Download Now