I have some familiarity with Windows Forensics having passed my SANS 508 exam, However Chip is my resident Forensics expert so when he pointed me in the direction of a blog post about running python scripts in EnCase I was immediately interested. I haven’t really played with EnCase and have been looking for a reason, this seems like a good one.
In this post @JamesHabben has introduced pdf-parser to EnCase. He also suggests a couple of other python scripts that could be of use which is where this post comes in. I have never tried writing an EnScript before so thankfully James has a detailed write-up.
Chip has a great write-up on how to use analyzemft here.
tldr; It parses a $MFT file in to an easy to read csv file.
The first thing we need to do is get analyzemft installed onto our machine that has EnCase. (This has only been tested with python 2.7).
Download the latest version of analyzemft from https://github.com/dkovar/analyzeMFT/archive/master.zip and unzip the contents.
cd in to the directory and run the following command
python setup.py install
Assuming python is in your $PATH this should install with no errors.
Ok now we have the python bit installed lets see about getting it into EnCase.
The Python Script
In this instance we don’t need to make any modifications to our script we just need it somewhere we can access it. I created c:\scripts folder that will hold any python items I need so it’s simply a case of copying analyzemft.py from our zip file into this folder.
Most of this is copied from James’s script I just modified the paths and the arguments we pass in to the exe call. I wont duplicate his description other than to say, if you need to modify this for your environment the lines to change are :
12. String pythonPath = "C:\\Python27\\python.exe"; 13. String pyScriptPath = "C:\\scripts\\analyzemft.py"; 15. String py_arg_out = c.ExportFolder() + "\\" + "analyzedmft.csv"
Running the script is simple select our $MFT file from the preview pane, and run the script.
The Console should tell you it successfully ran and output the csv file to your Export folder.
Now we can view the parsed MFT file.
The EnScript can be found on my GitHub here feel free to let me know if it’s broken or can be improved.
Big thank you to Chip for pointing me at this and helping me learn EnCase.
As usual Questions, Queries, Comments below.