Sunday, February 07, 2010

Briefly: Memory Analysis EnScripts

I came across a post for the Memory Forensic Toolkit EnScript in the GSI Forum a few days ago. I finally got a chance to play around with it a little today and this will be a very brief overview.

Prerequisite: EnCase 6.14 or higher.

Simply download the toolkit from the link above and unzip it into your EnCaseX.X.X\EnScripts folder. You should see something like the following in your EnScript pane with a Windows 7 folder and Windows XP:



I have only tested the XP scripts at this time. EnScripts available:

- PsList: List of all processes
- KMList: Show all loaded kernel modules
- ConnList: View all TCP connections
- VadSearch: VAD process in the search for a string
- DllList: List Dlls
- OpenFiles: List of open files that the process
- ProcDump: Extracting of a process to exe format
- PsScan: Enumerates process information (EPROCESS)
- ConnScan: Enumerates TCP connection information (TCPT_OBJECT)
- KMScan: Enumerates kernel modules (LDR_MODULE)
- Vtypes/Win32/x86: library to use the above scripts

You can run these EnScripts on raw memory dumps, just make sure to check the blue box for the memory dump you would like to run the EnScript against. Just double click the script you'd like to run.

Here's an example run of PsList:



And ConnScan:



The output is very similar to Volatility and goes to the console by default. You can easily modify the script to output to a text file, Excel spreadsheet or any other output type you can think about, however.

For some EnScripts like dlllist, you are prompted for a PID to run it against. You can modify the script to run agains all PIDs however, if desired.



There is also a Microsoft Crash Analyzer which I have yet to try.

1 comment:

haruyama said...

Hi, thanks for checking my tool.
The link posted in GSI Forum is not the latest version, so please visit my blog and download it.
The latest version is 1.41.

EnCase EnScript "Memory Forensic Toolkit" Version 1.41
http://cci.cocolog-nifty.com/blog/2010/02/encase-enscript.html

And if you are looking for the tool parsing crashdumps, I'm also publishing "CrashDump Analyzer" for x64 Windows Servers on my blog.