As the title says, I'm looking for a way to convert the full text indexing in EnCase into a format usable in PRTK. I've tried importing the native format into PRTK and it does not work. I love the feature of PRTK that allows you to use FTK's full text indexing as a dictionary to break passwords, but I don't like FTK! I know an obvious solution is to do the full text index in FTK and then use that in PRTK…but I was wondering if anyone has tried using EnCase's format…or might want to help me figure it out. Thanks in advance.
I am pretty sure that someone has published an enscript/enpack that converts the index results to a text file on the EnCase Guidance Support Portal
Yes, under Examples there is an Enscript called "Create Index Dictionary"
I've tried using the enscript and I can't get it to run. What is the order of operations? Should I do full text indexing first and then run the enscript?
One thing you should consider if you find a way to come up with a fulltext index. That is the FTK index is not the only source of data . In FTK, the registry is automatically incorporated and eventually becomes a part of the dictionary. I say, automatically. That's not quite accurate since you do get a choice of what registry keys to include. I haven't tried it but I'm confident it would function without the registry files, but you would be missing, among the things, the protected storage which as you know contains some potentially good stuff. An answer to that might be to add the contents of protected storage manually before sending it to PRTK. That would probably work with Internet Explorer 6 where protected storage is displayed in the clear. However in Internet Explorer 8 the protected storage has been moved and is now encrypted (I'm told) I haven't tried to decrypt it yet, but I believe that entails cracking the users password.