Hey Everyone!
I am new to forensics and Enscripts, in fact Iam studying it a university and I'm currrently on a work placement at a small computer forensics firm.
I was looking into Enscripts and found little documentation on it, although I did go through the Lance Muller Enscript tutorial which was extremely useful and I enoyed working through it.
A situationcame up that could make use of Enscript, I've been trying to get my head around it and figure out an enscript for this situation. I guess you need to know the issue now D
I ran a GREP search of unallocated clusters to find jpg images from a specific camera, the expression went something like this - \xff\xd8\ff\e1.*\x49\x58\x55\x53 . so now I have a few thousand result (which is a lot better than I had previously) but I need to bookmark the images, so I do this my highlighting the image header, right clicking and selecting bookmark data, then choosing the Picture View Type. which works fine but I dont fancy doing this for all 4000 results. Thats where the Enscript comes in, but also where my problem starts. I have done bits of programming before mainly C# but never Enscripts. so anyway I guess what my question is, is am I on the right track with my enscript or does anyone know of how to do this. What ive done so far goes something like this
class MainClass
{
void Main(CaseClass c)
{
SearchHitClass hit = c.SearchHitRoot();
EntryFileClass file;
BookmarkFolderClass folder;
folder = new BookmarkFolderClass(c.BookmarkRoot(),"Image Bookmark");
SystemClassClearConsole();
forall (SearchHitClass h in hit)
{
Console.WriteLine(h.FullPath());
EntryClass e = hit.GetEntry();
file = new EntryFileClass();
file.Open(e);
file.SetCodePage(0);
String text;
do {
file.ReadString(text, -1, “\x0d\x0a”);
if (text.Contains(“yoya“))
{
Console.WriteLine("Text contains " + text);
folder.AddBookmark (e, file.GetPos()- text.GetLength(), text.GetLength(), "Image", BookmarkClassSHOWPICTURE, BookmarkClassPICTURE);
break;
}
} while (file.Peek() != FileClassEOF);
}
}
}
Ive only had the lance muller tutorial to go on and it would be much appreciated if anyone could give me a hint.
Thank you,
Kind Regards, Forbina
You can do the following with EnCase, once you have your search hits from unallocated clusters;
Select all search hits (highlight one, press ctrl+space bar)
Pan right to 'Is Picture' column
Right click any item and select 'Picture - Invert Selected Items'
Lo and behold, decoded as picture, gallery view, bookmark selected items from there.
HTH.
Your enscript itself looks to be on the right lines, I dont have the documentation at home so cant give the correct syntax.
What you might want to consider is looking in the search hit node for the term you ran instead of for everything, its also worth noting that the yoya header is not "yoya", its ascii symbols that look a bit like it.
What your code does (i think, because its not commented at all) is add a bookmark for the yoya header, file.peek doesnt increment the file pointer btw.
You're on the right track, but it needs a little work. Correct the yoya header to start with and try debugging it.
The way I tend to write them is (in pseudo code)
for (h in hits) {
if (h.IsSelected()) {
Do stuff;
}
}
And then just blue tick the ones you want to process.
Hi Forbina,
The problem you will have with this script is that you're treating binary data as text, i.e., that you're using ReadString() to read in some data from the file, and then Contains() to look for a string in that data. This is fine when working with text files, but it won't work with binary data like JPEGs. ReadString() is far too finicky.
What I suggest you do is create a SearchClass object as a class member and, in the constructor or beginning of Main() (but not inside the for-loop; it'd be too slow), call AddKeyword(), passing it the hex-encoding string you want to look for, i.e. "\\xff\\xd8\\xff\\xe1" (notice these are double-backslashes, because they're a string literal), and then calling SearchClassCreate(). Then in the for-loop, after you open the file, call Find(). Find() returns the number of hits found, and then you can iterate over them by calling GetHits() on the SearchClass object (lots of examples of this floating around).
This makes EnCase do more of the work for you and gives you exact results, without having to worry about errors stemming from treating binary data as text. Also, if you bookmark the results with the bookmark PICTURE enum, you don't need to recover the full jpeg, just the header. EnCase will figure out the rest in gallery view.
HTH,
Jon
Then in the for-loop, after you open the file, call Find().
Is inside a loop the best place to do this? Doesnt searchclassfind() start the search off again every time you call it?
Then in the for-loop, after you open the file, call Find().
Is inside a loop the best place to do this? Doesnt searchclassfind() start the search off again every time you call it?
Yes, but that's equivalent to what's happening now, with calling Contains() on the string. It seems like the intent is to validate the search hit somehow.
Frankly, I don't really understand why the hit is getting validated like this, but using ReadString() and Contains() will not work reliably–they'll get confused by null characters.
Jon