Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Mac OS X Time Machine Parser

The purpose of this script is to assist the examiner to visualize the paths of relevant target files within a Mac OS X Time Machine volume.

Before running the script the examiner must first blue-check the files in the volume that are of interest. It is advisable to tag those files first so as to avoid losing the selection by inadvertently switching views.

When the script runs it will write the selected files into a nominated logical evidence file (LEF) using the same paths as would be observed were the Time Machine volume to be viewed under Mac OS X. The examiner has the option of filtering the output, so, for instance, it's possible to select all of the pictures within the Time Machine volume but only write those pictures to the LEF is they contain the string '\Users\' somewhere in their path.

Only one Time Machine volume can be processed at a time. If the examiner selects files from more than one volume the script will raise an error. Every file of interest must be selected even if it is a hard-linked duplicate: the script won't find duplicates automatically - it would take too long.

It's important to bear in mind that re-creating the structure of a Time Machine backup can be time consuming and take a substantial amount of disk-space. Not only that, but because many files will exist in more than one backup, the resultant LEF will usually contain far more files than were actually selected by the examiner. This notwithstanding, the use of hash-values within the internal LEF structure will ensure that only one copy of a duplicate file is actually stored.

Download Now



Version: 1.1
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

8387 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9876 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
7593 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
362 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
214 Downloads
App