Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.
$Filename Attribute Dates of tagged file(s)
This EnScript will display the (8) eight NTFS time-stamps associated with each tagged file/folder in EnCase.
By Lance MuellerAPFS Date-Added Decoder
This script decodes the date-added timestamps present in the internal $Catalog file created by EnCase for APFS volumes.
By Simon KeyActive Directory Account Importer For Secure Storage
This script allows the examiner to import user and group accounts from Active Directory into EnCase. By Simon KeyAndroid Screen Unlock
This script is designed to remove basic PIN, password or pattern lock from a connected device. This method was tested and works on Android versions from Gingerbread (2.3) to Jelly Bean (4.1). The Consol.
By James HabbenApple System Log (ASL) File Parser
This EnScript parses user-specified Apple System Log (ASL) files in the current case. Output is by way of bookmarks and a tab-delimited spreadsheet file.
By Simon KeyAres and Lime Pro Dat File Decryptor
This script will decrypt the data from the .dat files used by the Ares and Lime Pro P2P file trading programs.
By Simon KeyAres and Lime Pro Registry Report
This script decodes relevant values for Ares and Lime Pro NTUSER.DAT Registry keys. By Simon KeyAssisted PST/OST Mounting in EnCase
The script assists in mounting Microsoft Outlook PST and OST files for use in EnCase. By Jacques MalanAttribute and Field Helper Plugin
This plugin allows the examiner to view and bookmark the information shown under the Attributes and Fields tabs en-masse rather than on a per-file/folder basis.
By Simon KeyAutoCAD DWG Summary Info Reader
This EnScript allows the examiner to read document summary information from AutoCAD DWG files. The script supports file-versions from 2004 to 2013.
By Simon KeyBAM Registry Parser
This script Background Activity Moderator (BAM) Registry entries generated by later versions of Windows 10.
By Simon KeyBinary Plist Finder
This script searches specified items for binary property-list (plist) files. It was designed primarily to recover plist files from unallocated clusters but can also be used to recover plists embedded in.
By Simon KeyBitTorrent Bencode File Finder
This EnScript can be used to find and decode bencoded files of the type used by several BitTorrent clients.
By Simon KeyBitTorrent Bencode Viewer Plugin
This is an EnCase plugin that allows the examiner to view the bencoded files of the type used by many BitTorrent clients.
By Simon KeyBookmark Filter Plugin
This self-installing plugin allows the user to select bookmarks matching a given condition. It is particularly useful when trying to identify bookmarks containing specific text in the comment.
By Simon KeyBookmark and Decode exFAT Directory Entries
This script bookmarks the exFAT directory-entries for the highlighted file/folder or selected files/folders in the current view; it is primarily designed to allow the examiner to view exFAT timestamps t.
By Simon KeyC-TAK (Cyber-Threat Analytics Knowledgebase) Trial Version
C-TAK provides examiners with accurate identification of cyber threats that may directly impact investigations. The C-TAK trial includes Keylogger, Rootkit and Trojan datasets built in.
By WetStone-Technologies-Inc-CD Image Loader Plugin
This EnScript loads one or more CD/DVD-ROM ISO images into the current case. Supports multi-part images of the type created by FTK Imager.
By Simon KeyCUPS Printer Control-File Parser
This script parses CUPS (Common UNIX Printing System) printer-control files of the type found on macOS.
By Simon KeyCase Analyzer and Sweep Enterprise Data Extraction
Use this script to batch-extract selected Case Analyzer and Sweep Enterprise reports to comma-delimited spreadsheets.
By Simon KeyCategorize & Bookmark by File Extensions
EnCase v7 EnScript to define criteria in a condition dialog and then bookmark those files into bookmark subfolders based on extensions
By Lance MuellerChrome History Transition Parser
This script is designed to parse the transition field from records in the visits table of the Chrome/Chromium History SQLite database file.
By Simon KeyThis is a File Mounter. Like the V6 file mounter, but for V7 and to mount the files not included in the Evidence processor.
By James GagenComprehensive Case Template
This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred HatzesbergerContextual Data Builder
Importing customer contextual data enables you to integrate your enterprise or third-party database of whitelisted, blacklisted, and watchlisted hashes as you extract, transform, and load data to the an.
By John LukachCopy Files With Path
This script is designed to copy files (those that are entries) into a nominated folder and/or logical evidence file whilst still preserving each one's path. It will work in triage mode.
By Simon KeyCopy Web Browser Files
A simple script used to identify all browser history cookie and cache files in a case and copy them out for further processing using 3rd party tools.
By Paul Eric TewCortana Search Decoder
Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon KeyCreate Hash Library From Multiple Hash Lists
This script is designed to create/update a hash library using the hash-values contained in one or more tab-delimited hash-list files with CR/LF line-endings.
By Simon KeyCreate LEF From Folders Using Logical and UNC Path
Creates an EnCase logical evidence file from the contents of one or more folders specified by the user.
By Simon KeyCreate Result Set Excluding Unwanted Items
Allows the examiner to create a result-set that excludes unwanted items by way of them having a 'known' hash value or other undesirable properties (name, size, file extension, etc).
By Simon KeyCreate Result-Set From Responsive Items
This script is designed to create a result-set from both entries and records (artifacts) in a single pass.
By Simon KeyCreate Result-Sets For Hash-Categories
This script creates result-sets for each of the hash-categories associated with active hash-sets contained in the current case's active hash library/libraries.
By Simon KeyCreate Result-Sets For Specific Document-Types
This EnScript allows the examiner to create result-sets containing items matching user-specified file-types.
By Simon KeyCredit Card Number Search With Luhn Verification
This script finds credit card numbers which are valid according to the Luhn test. By Simon KeyDFLabs DIM Integration-NG
Created by DFLabs this EnScript enables you to add EnCase evidence and bookmark data to IncMan-NG suite.
By DFLabs SRLDFLabs IncMan Integration-NG
This EnScript allows the user to upload remote node snapshot information from Sweep Enterprise into IncMan-NG the Incident Response Management from DFLabs.
By DFLabs SRLThis script parsers user-specified .DS_Store files created by Mac OS X. One of the most common reasons for wanting to examine these files is to determine the original name and path of files/folders in t.
By Simon KeyData Extraction Utility
This script is designed to extract one or more blocks of data from the file highlighted in the EnCase GUI.
By Simon KeyDeleted SQLite Database File Recovery
This script is designed to recover deleted database files last modified by SQLite version 3.7 or later.
By Simon KeyDetect Similar Text Content
The script uses ssdeep to help identify plagiarized content and/or forged documents. By Simon KeyDrive Space Audit
This EnScript will audit the space of all devices in the case. A table will be built in the bookmarks tab as a summary to show usage of devices in the case.
By James HabbenDumpkeychain is a Windows utility for decrypting credentials from Mac OS X system and user keychains given the associated system-key-file or keychain-password respectively.
By Simon KeyE-mail Address Finder
This EnScript will locate, bookmark, and count all unique e-mail addresses in a case. By Ryan Jay OllerenshawEMLX to EML Mail Converter
Convert Apple Mail EMLX files to EML/MBOX format, which can be then read by other e-mail clients and processed by EnCase.
By Simon KeyEVF2 Evidence-File Segment Extraction Utility
This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.
By Simon KeyEVTX Log Entry Finder
This EnScript bookmarks deleted event-log records from Microsoft Windows EVTX files. By Simon KeyEnCase Integrated Threat Toolkit (EITT)
EnCase Integrated Threat Toolkit (EITT) is a GUI interface and aggregate for a number of EnCase® Enterprise functions and over 15 open source tools designed to assist in DFIR investigations.
By Guidance SoftwareThis script allows an EnScript developer to quickly identify newly introduced classes, methods, and properties in EnCase.
By Simon KeyEnParse - 30-Day Free Trial
30-day free trial of EnParse. Find what is in multiple evidence files at once without full export, prepare useful reports for clients.
By Manishaben-ChovatiyaEnScript Editor Utilities Plugin
This plugin adds a number of enhancements to the EnScript editor window. By Simon KeyThis helpful EnScript lets you search all your downloaded EnScripts and either launch them or open the folder where they were found.
By Guidance SoftwareEnScript to send file metadata directly to Splunk
EnCase EnScript to send data directly to SPLUNK for IR, Investigations and Timelines. By Lance MuellerEndpoint Investigator Network Utility Plugin
This is an Endpoint Investigator Network Utility plugin that allows the examiner to import one or more network-nodes or IP-ranges from a nominated tab-delimited text-file in MS Windows format. It can al.
By Simon KeyEndpoint Investigator Snapshot Scanner
This script is designed to validate the prescence of EnCase Endpoint Investigator agents running on multiple endpoints.
By Simon KeyEndpoint Security Registry Value Extractor
This script is designed to extract Registry values from one or more result-LEFs created by EnCase Endpoint Security. It will process all Lx01 and L01 evidence files in the folder specified by the user.
By Simon KeyEvidence File Converter
EnScript converts blue-checked EnCase evidence files in the evidence tab to bitstream, dd-type disk images with the option to use the Apple multi-part DMG naming convention.
By Simon KeyExif GPS Information Reader
Search for, bookmark, and decode Exif metadata with the option to view GPS coordinates in Google Earth.
By Simon KeyExif Viewer Plugin
The is a self-installing application plugin that enables the user to right-click on HEIC and JPEG files in order to view and bookmark the Exif metadata contained therein.
By Simon KeyExport Result-Set to Project VIC
This script is designed to extract a user-specified result-set to a Project VIC data-set. By Simon KeyExport and Bookmark Files Based On Extension
Use this EnScript to extract files into separate folders based on extension. The script will create a tab-delimited index file containing the file-system metadata specified by the examiner. Detects and .
By Simon KeyExport by Extension
Export files based on extension By Lance MuellerExtract Block Data Excluding Headers
This script is designed to assist the examiner to extract files from block-based storage structures where each block has a fixed length and is preceded by a header also having a fixed length.
By Simon KeyExtract Bookmarked Items With Bookmark Folder Path
This EnScript extracts selected bookmarked items to a nominated folder whilst preserving the bookmark-folder path. The examiner can opt to extract e-mail records as MSG.
By Simon KeyExtract Selected Folders in Current View
This script is designed to extract selected folders in the current view to a nominated export folder. Only folders that contain one or more child objects will be processed. Files themselves will not be .
By Simon KeyFacebook MSG Finder
This Enscript will find FaceBook artifacts in tagged files and create a detailed bookmark. By Ryan Jay OllerenshawFile Block Hash Map Analysis
This EnScript uses block-based hash analysis in order to locate and recover one or more target files in circumstances where other methods are likely to fail.
By Simon KeyFile Description and Extension Tally
Provides a tally of the total number and size of items with a particular extension or description. By Simon KeyFile Directory Listing
This EnScript creates a directory listing of all items in the case and makes a .CSV file. By Joshua ClevengerFile Properties is a script to easily cut/paste properties on selected files to your investigation report without using bookmarks.
By Guidance SoftwareFileRemediator uses EnCase's built-in wiping function to target and wipe individual files and folders on a local device and then create all the necessary logs.
By Thomas PlunkettFind E-Mail Attachments By Extension
Finds e-mail attachments with file-extensions specified by the examiner. Searches archive attachments (including nested archives) by default.
By Simon KeyFind Entries by Hash Category Plus (EnFilter)
This is a modified version of the v7.08 Filter in EnCase to Find Entries by Hash Category By James GagenFind IPV4 Addresses
Finds valid unique IPV4 addresses in ANSI/ASCII and Unicode text-formats. By Simon KeyFind Unique Records by Hash (EnFilter)
This is a modified version of the Filter in EnCase to Find Unique Entries by Hash, I have modified the filter to work on records and will match on the MD5 hash.
By James GagenFind and Parse Prefetch Files in Unallocated
This EnScript searches unallocated clusters for deleted prefetch data. If found, the EnScript will parse out the name of the executable, last run time and run count.
By Lance MuellerFlat File Export
This script is designed to copy tagged items into a single output-folder and report-on user-specified properties in the process.
By Simon KeyGPT Partition Parser
This EnScript locates and bookmarks GPT partition-table information from devices in the current case.
By Simon KeyGenerate ED2K Hash Values
This EnScript will generate ED2K hash values for the purpose of comparing them to some known bad files based on those ED2K hash values.
By Lance MuellerGeneric ESE Database Table Parser
This script will attempt to parse one or more tables from Extensible Storage Engine (ESE) database files specified by the user.
By Simon KeyGeneric SQLite Database Parser
This script allows one or more pre-defined queries to be run across SQLite database files with names matching those specified.
By Simon KeyGeneric XML Viewer Plugin
Use an extended context-menu option to view and bookmark data contained within XML files. By Simon KeyGigaTribe Download State Information Finder
The GigaTribe Download State Information Finder searches for information stored whilst a download is progressing on a GigaTribe user's computer.
By Simon KeyGigaTribe V3 Chat Parser
Locates and parses chat records originating from GigaTribe V3 chat-log files. By Simon KeyHEIC Image Viewer Plugin
This plugin is designed to view the HEIC file currently highlighted in the GUI, including Exif metadata. GPS coordinates can be displayed using Google Maps.
By Simon KeyHEIC, KTX and WebP Image File Converter
This script is designed to convert KTX files to PNG; also, HEIC and WebP files to JPG. By Simon KeyHFS Journal Parser
HFS Journal Parser finds and parses Catalog file record in HFS+/HFSX .journal file. By Teru YamazakiThis app is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important b.
By James HabbenHas Attachment by Category (EnFilter)
This filter works on Records in email and will return Records with Attachments that match the selected category. The Source of the filter can be viewed to see the changes made.
By James GagenHash Calculator Plugin
This EnScript plugin calculates a number of different hash values, either for complete files, or for a range of data. Hash values can be submitted to Virus Total automatically.
By Simon KeyHash Library Viewer
This script allows the examiner to view, bookmark and extract the contents of the current case's hash library.
By Simon KeyHash List Builder
Generate a matching file set for blue checked items that have had their MD5 hashes processed for import into EnCase Endpoint Security.
By John LukachHash List Importer
This EnScript is designed to create a new EnCase hash-library from a list of hashes in tab-delimited format, or from an NSRL hash-set.
By Simon KeyIdentify and Extract Date & Time Changes
EnScript to identify 4616 events (date and time change) that exceed a user specified number of minutes allowing the user to quickly discard Time Server syncs.
By Lynette GohIndex and Extract Mounted Archives
This script is designed to index mounted archive files and their contents relative to the case as a whole; also, to filter and extract this data into a logical evidence file (LEF) so it can be viewed as.
By Simon KeyItem Ancestor Resolution
This script allows the examiner to identify the ancestors (emails, etc.) of items in a given result-set so they can be bookmarked and/or extracted.
By Simon KeyJPEG File Exporter
This app will export tagged jpeg image files and add the jpeg extension to the exported file. By Ryan Jay OllerenshawView EXIF metadata found in JPEG images within EnCase-- no need for a third-party application to view GPS coordinates, camera make and model, etc.
By Casimer SzyperJSON Viewer Plugin
This EnScript plugin allows the user to view and bookmark application data stored in JavaScript Object Notation JSON files.
By Simon KeyKeyword Search and Proximity Extract
Keyword search and proximity extract is designed to do Fuzzy string extraction by grouping relevant string fragments together.
By Jacques MalanKeyword Search with Range Bookmarking
This EnScript allows the user to perform a raw or transcript keyword search of entries and records, and bookmark a user-specified range of bytes before and after each search-hit.
By Simon KeyKnown _met Search and Parse
This EnScript will search all tagged items for known.met record fragments from eMule 0.5. By William LynnLink File & Jump List Parser
This EnScript parses recent file-system activity from Microsoft Windows shortcut-link and jump-list files.
By Simon KeyLogon Banner and Text (from SYSTEM registry hive file)
This is an EnScript that extracts and bookmarks the local logon banner and logon text. Verifies corporate policies, such as "further used denotes no expectation of privacy".
By Thomas HilkLow Hanging Fruit
Low Hanging Fruit Please extracts file name path and MD5 to a SQLite database that also contains an Item Moniker data for each entry.
By John LukachThis script will provide a clean view of computer activity by creating a chronological report of file-system metadata.
By James HabbenMFT Date Comparator
This script is designed to identify potentially suspect files by analyzing timestamp differences in the NTFS MFT standard information and filename attributes of each file.
By Simon KeyMFT Record Bookmark Plugin
This plugin has been designed as primarily as a classroom aid to assist in the examination of MFT records and their component sections (MFT-record attributes).
By Simon KeyMP4, MOV, M4A and HEIC File Carver
This EnScript is designed to carve MP4, MOV, M4A and HEIC files as defined by the ISO base media file format, ISO/IEC 14496-12.
By Simon KeyMac OS X AutoLogin Password Decoder
This is a small utility that will decrypt the user-password for a user set to to automatically log-in to a Mac OS X system.
By Simon KeyMac OS X BinaryCookie File Parser
This script parsers user-specified Mac OS X binary cookie files. Output is by way of bookmarks and a tab-delimited spreadsheet file.
By Simon KeyMac OS X Log Entry Finder
This script searches user-specified Mac OS X plaintext log-files for log-entries containing one or more keywords.
By Simon KeyMac OS X OpenBSM Audit Log Parser
This EnScript parses Mac OS X OpenBSM audit-logs, which although deprecated, may still contain details of events relating to audit-control, user-logon and group/user creation/modification/deletion.
By Simon KeyMac OS X Outlook Mail Converter
This EnScript is designed to convert Microsoft Outlook *.olk14MsgSource and *.olk15MsgSource message-files to EML files and a logical evidence file that can be processed by EnCase.
By Simon KeyMac OS X Previous Versions Chunk Storage Parser
Certain Mac OS X applications support the storage of previous versions of files. This EnScript will recover those files and write them to a logical evidence file so that they can be examined.
By Simon KeyMac OS X QuickLook Thumbcache Parser
Extracts thumbnail images from Mac OS X QuickLook thumbnail cache files. By Simon KeyMac OS X Time Machine Parser
This EnScript allows the examiner to resolve the backup paths of blue-checked files in a Mac OS X Time Machine volume without having to make a copy of the volume available to a Macintosh computer.
By Simon KeyMacOS Var-Folders Name Converter
This script decodes the UUID and UID from the names of sub-folders under /private/var/folders in MacOS.
By Simon KeyManfreds Berichtsvorlage (NSRL 2.49)
Dieses umfassende Berichtstemplate kann als Basis für Ihre eigene Vorlage dienen. Sie ist sehr umfangreich und enthält Bookmark-Verzeichnisse für die häufigsten Topics Ihrer Unter.
By Manfred HatzesbergerManfred's Comprehensive Case Template
This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred HatzesbergerManfred's Comprehensive Case Template (NSRL 2.49)
This template may serve you as basis for your own specific template and includes many Bookmark folders for often encountered topics during your exams.
By Manfred HatzesbergerMatching File Analysis
This script is designed to locate one or more files from a known set. It works with records as well as entries.
By Simon KeyMatching File Creator
This EnScript allows the examiner to tag items of interest and export a tab-delimited CSV file with the name, MD5 hash value, and logical size of the selected tags.
By Joseph GavalProcess Windows, Linux, and OS X memory images and find running processes, parents, create dates, and more.
By Casimer SzyperMessenger Protocol Fragments
A script to search for protocol fragments of MSN Messenger (or MSN Live Messenger) chat. By Paul Eric TewMicrosoft Word ASD Document Viewer
This EnScript plugin allows Autosave Document (ASD) files to be extracted and opened with Microsoft Word.
By Simon KeyMultiple Date Range Filter - Entries Only (EnFilter)
This EnScript filter allows the examiner to show/hide entries using multiple date-ranges and one of four different logic options.
By Simon KeyNETSH Packet Capture
NETSH Packet Capture allows network traffic sniffing on Microsoft Windows 7 and newer machines using natively installed NETSH with a Servlet with Remediation from EnCase Endpoint Security.
By John LukachNTFS Index Buffer Reader
This script is designed to parse the contents of NTFS index buffers. By Simon KeyNTFS $UsnJrnl Parser
This EnScript allows the user to parse valuable information logging NT file-system operations including time files that have been created, deleted and renamed.
By Simon KeyNirSoft ESEDatabaseView Plugin
This plugin provides an interface to the NirSoft ESEDatabaseView executable so as to provide centralized reporting of Extensible Storage Engine (ESE, aka Jet Blue) databases through the use of bookmarks.
By John LukachNokia Lumia 610 SMS
This script will parse out SMS from a Nokia Lumia 610 mobile phone binary dump. By Karl WinrowOffice 2007 Metadata Processor
Reads internal document metadata from Microsoft Office 2007 and later documents. By Simon KeyOffice 97-2003 Metadata Processor
This EnScript parses metadata from Microsoft Office documents of the format used prior to Office 2007.
By Simon KeyOfficeRecovery 2013 Ultimate - Trial Version
Repair and examine the contents of corrupted files in collected evidence. Word Excel digital images and dozens of other formats are supported.
By Recoveronix SoftwareOld School Search Hit Viewer
The Old School Search Hit Viewer will display search hits in a table; the hits are highlighted with a user-specified amount of context visible around the search hit.
By Kimberly StoneOutlook PST & OST Deleted File Recovery
This script is designed to recover deleted PST/OST files. By Simon KeyPDF File Finder
This script is designed to find deleted PDF files using the header, '%PDF-#.#' (GREP), and the footer, '%%EOF'.
By Simon KeyParse single or multiple .EXE files and extract all information encoded into the PE (COFF) header. Also works on memory dumps or unallocated space.
By Casimer SzyperParse $I $Recycle.Bin Files
This script parses the original path, logical size, and date-deleted information from $I $Recycle.Bin files.
By Simon KeyParse MemProcFS UserAssist Files
This script parses UserAssist Registry values made available by the MemProcFS memory anaysis tool. By Simon KeyParse PE Executable for String Resources
This EnScript specifically targets a resource known as "VS_VERSION_INFO" which contains metadata about the specific executable, including the manufacturer name, original filename, version info and ot.
By Lance MuellerParse Wireless Access Points in Vista, Win7, & Win8
EnScript to extract & display information about wireless networks that have been connected to. Supports analysis of Windows Vista, 7 & 8.
By Lance MuellerParse the setupapi.dev.log of USBs
This EnScript will parse the setupapi.dev.log (Windows Vista/7) for USB connected events and display this in the console tab
By Jordan venderBuhsPlist Viewer Plugin
Use an extended context-menu option to bookmark, decode and extract data contained in Apple property list (.plist) files; automatically view plist files embedded in other plist files.
By Simon KeyPre-Evidence Processing Tasks
Quickly gather needed information before Evidence Processing. By Tim TaylorPrefetch Dump (PFDump)
This EnScript parses application usage information stored in Microsoft Windows prefetch files. This version supports Window XP through Windows 10 and includes a run-count and one or more last-run dates.
By Simon KeyPrefetch File Recovery
This script is designed to find deleted prefetch files in both compressed and uncompressed formats. By Simon KeyPrint Spool - SHD & SPL Parser
This EnScript extracts and bookmarks the admin data from the printer shadow files and bookmarks EML print data from the printer spool files.
By Lynette GohQuick Base64 Decoder
The script is designed to quickly decode Base64-encoded data. By Simon KeyQuick Bookmark Folders
Quickly make bookmark folders for each device in your case. Automate making bookmark folders and subfolders for each device in your case. Along with bookmarking each device and each volume in the cas.
By Brett LiddicoetQuick Registry Browser
Allows the examiner to quickly view data in the highlighted Registry file. By Simon KeyQuick View OST and PST Files and Extract to MSG
This script will attempt to mount the highlighted PST/OST file and display its contents so that messages can be previewed and/or extracted to *.MSG files.
By Simon KeyRDP Cached Bitmap Extractor
This EnScript parses bitmap data cached by the Microsoft Windows Terminal Services (Remote Desktop Protocol - RDP) client.
By Simon KeyRecord LEF to Entry LEF Converter
This script converts logical evidence files (LEFs) containing records to ones containing entries. It may prove useful when working with applications that can't open record-LEFs.
By Simon KeyRecord to Excel
Use Record2Excel to export records to Microsoft Excel. This script works with any records list which can be tagged. It will export all record properties (fields values) to Excel. Requires Microsoft E.
By Guidance SoftwareThis EnScript runs RegRipper directly from EnCase. Automatically bookmark results or load them in a Microsoft Word / Open Office document. Requires RegRipper.
By Guidance SoftwareRegistry Files Exporter
Export Windows Registry files from Windows OS By Isaac LeeRegistry Viewer Plugin
This script allows the examiner to to use a right-click context-menu-option or keyboard shortcut to view Registry hive files (SYSTEM, SOFTWARE, SECURITY, SAM, NTUSER,DAT, etc.).
By Simon KeyRemote Agent Deployment
This EnScript allows the user to remotely deploy agents across their enterprise. By Guidance SoftwareCalculates the volume based on logical size in bytes per month based on MAC times for an eight year time frame that are not tagged as 'Known'.
By John LukachRun Condition As Filter
This download consists two filters designed to make it easier to locate, edit, and launch conditions from multiple locations. They also make it easier to create modified copies of the conditions that.
By Simon KeySEEB USB - Mounted Devices Report
Script will create detailed Excel, CSV, console & bookmark reports on Mounted, USB, portable devices found in the registry and setupapi logs.
By Brian JonesSQLite Blob Extractor
This script is designed to extract BLOB-data from SQLite database files. By Simon KeySQLite Free-Page Parser
This EnScript is designed to read and decode unused pages from SQLite database files, pages that may contain deleted data.
By Simon KeySRUM Database Parser
This EnScript parses the System Resource Usage Monitor (SRUM) ESE database, SRUDB.dat, which is located in the %SYSTEMROOT%\System32\sru folder
By Simon KeySafari Evidence Processor Module
This is a self-installing Evidence Processor module that parses macOS Safari web-browser data. By Simon KeySafari Form Values Decryptor For Windows (SFVDWIN)
Use this tool to extract the autofill form values from the encrypted Form Values plist that Safari uses. It requires the user's keychain and associated password to decrypt the data.
By Simon KeySearch For Valid Bitcoin Addresses
This EnScript searches entries and records for valid BitCoin addresses. By Simon KeySearch Hits Preview
This EnScript creates a search hit preview file that can be imported into Excel. By Ryan Jay OllerenshawSearch and Bookmark Specific Data Types
This EnScript allows the examiner to search for one or more keywords and bookmark the resultant search-hits using specific data-types (picture, ROT13, low ASCII, hex, etc).
By Simon KeySerialized Property Storage (SPS) Reader
This script decodes one or more values stored in Serialized Property Storage (SPS) format. By Simon KeyThis EnScript mounts all SYSTEM registries found in the current evidence, parses the Application Compatility Cache registry key and output the result onto the console, bookmarks and tab-delimited CSV.
By Isaac LeeShow or Hide Items with a Selected Tag
This Filter will enable the user to show or hide items based on the tag status. By James GagenSkype Chatsync IP Addresses
This EnScript will parse out the IP addresses from Skype chatsync files and write them to the console as well as bookmark the artifacts.
By Lance MuellerSkype S4L Database Parser
This script parses cached messages and profile-information from the 'messagesv12' and 'profilecachev8' tables of Skype 's4l-*' SQLite-database files.
By Simon KeySysTools Outlook Exporter v2.2 (Demo Version)
SysTools Outlook Exporter is an EnCase plugin which allows you to export email evidence found with EnCase forensic to an Outlook (.pst) file WITHOUT Outlook.
By SysTools SoftwareSystem Snap Shot
System Snap Shot collects information regarding software used, system settings, user names, last login information, and connections made that would allow data to be moved off the machine.
By Jordan venderBuhsTeam Cymru Malware Hash Registry Search
Review evidence files to assist in learning if any might correspond to malware. By Jeffrey SavoyThreatAnalyzer Automation Toolkit
ThreatAnalyzer provides best in class dynamic file analysis which enables the investigator to quickly determine any behaviors a given file sample may exhibit.
By Cisco SystemsThreatGRID Malware Analysis and Intelligence for EnCase
Threat Grid Malware Analysis and Intelligence for EnCase® provides direct integration with Threat Grid, the first unified malware analysis and threat intelligence solution. Threat Grid provides i.
By Cisco SystemsThis script parses the thumbcache_*.db files used to store thumbnail images generated as a result of viewing pictures in Windows Explorer under Windows Vista, 7, 8/8.1 and 10.
By Simon KeyTimezone Info Prior to Processing
This EnScript allows the Examiner to determine the timezone settings of each device prior to running the EnCase Evidence Processor.
By Jamey TubbsUNC Path Preview and Acquire
Use this script to preview the files and folders on a remote share using a UNC path. Specific user credentials can be supplied where necessary.
By Simon KeyURL and Windows File-Path Finder