Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Exif GPS Information Reader

This script searches specified entries with a view to finding Exif picture files containing Global Positioning System data. Other Exif metadata will be bookmarked even if GPS data cannot be found. The examiner can choose to search all items, those that are selected, tagged or those that are entries representing unallocated clusters. Note that the option to parse items that are selected in the current view does not work with records.

Be careful when parsing deleted or deleted-overwritten files; also areas of unused disk space. These may contain corrupt data, which can cause the script to crash and/or cause EnCase to hang due to excessive memory usage. If this happens you will need to re-run the script without processing the problematic areas. The console output can help you to determine these either in EnCase or, if the program crashes, using the console log-files in %USERPROFILE\Documents\EnCase\Logs.

The examiner can choose to have the script specifically identify pictures whose Exif GPS coordinates are located within a specified distance (in kilometers) from a designated point. Any occurrence of an Exif picture will be bookmarked and checked to see if the data that follows contains GPS information. The script will bookmark an Exif picture into one of three bookmark folders depending on (a) whether it contains any GPS coordinates and (b) whether those coordinates fall within the geographical range specified by the examiner. If no range is specified then every Exif picture with GPS coordinates will be placed in the 'In Range' bookmark folder. Any GPS information found for pictures that are 'in-range' will be written to a single Keyhole Markup Language (KML) file that can be opened using Google Earth. The examiner is required to specify the path to the file when the script runs; he/she can also opt to export the the associated picture so that a thumbnail of it can be seen from within Google Earth.

Note that the latter option is not possible with pictures from unallocated clusters nor pictures embedded within other files. If Google Earth is installed on the Examiner's machine then he/she can have EnCase use COM to open the file once the file has been written. It's important to remember that the GPS information embedded within an Exif image will only be as good as the accuracy of the GPS fix at the time the picture was taken.

An additional data bookmark will be created in order to store the Exif metadata that's been parsed for each picture. This data can be filtered so that only Exif tags of interest are shown. Custom tag-names can be entered manually; they can also be imported from a tab-delimited text file. For additional information regarding the inclusion of bookmark data into the EnCase V7 case report see the following YouTube video

Download Now



Version: 6.0.1
Tested with:
EnCase Forensic 7.12
Developer: Simon Key
Category: Artifact

9913 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9970 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
7637 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
381 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
226 Downloads
App