Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer


This is an update to a previously submitted (and approved) EnScript that parses all Windows, OSX and Linux memory images. This update fixes an issue that ocurred when a user attempted to use the script against an evidence file (.E01). There are no other changes to the script.

This EnPack will process ANY Windows memory image from XP thru Windows 8x64, including Server. The EnPack will also process any Linux and OSX memory image. Results are output to console; with a text version available for user selected export. The user can expect to obtain, at a minimum, all running processes, parents, create dates, and process names. Additonal processing functions can be selected by simply putting a 1 in the appropriate box on the start up menu. Memory resident MFT entries, Registry entries, IP addresses, Open Ports, Twitter artifacts and more can be selected. To use: double click EnPack, at opening menu select memory image to process (type) from list at top. If you do not know what the exact image type is start with the 32 bit version first. If you don't know anything about the memory image you can select "Unknown" and the EnPack will attempt to identify the image file based on Dispatch Header Values. You can disable processing for running processess by selecting "Disable" - You will still be able to run the other processing selections against the image file. You can also parse ANY MFT with this script - by simply blue checking the MFT file, disabling the specific memory search and enabling the MFT parsing. This EnPack will only process "Blue Checked" files; for memory image files it is HIGHLY recommended that you process one file at a time as the output is to the console and will be cleared by the next entry before you will have time to view the first.

Download Now

Version: 7.2.2
Tested with:
EnCase Forensic 7.06
Developer: Casimer Szyper
Category: Incident Response



Incident Response

Hacker Offender

This App is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important by the attacker.
By James Habben
Incident Response

Team Cymru Malware Hash Registry Search

Review evidence files to assist in learning if any might correspond to malware.
By Jeffrey Savoy
Incident Response

Volatility Reporting Plugin

Volatility 2.4 Standalone executable integration with EnCase for centralized reporting of memory forensic results through the use of bookmarks.
By John Lukach
Incident Response Hash Library is a repository of malware samples to provide security researchers, incident responders, forensic analysts samples of malicious code.
By John Lukach