Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

NETSH Packet Capture

NETSH Packet Capture allows network traffic sniffing on Microsoft Windows 7 and newer machines using natively installed NETSH with an EnCase Servlet that has Remediation enabled. Launch the EnScript as no case is necessary and log into your SAFE which will determine if the Remediation flag is enabled and if you have permission to use this feature. Once that is done, you can click the Sniff button to run your NETSH commands on the remote system using the IP that was provide. All results are displayed in the Console View of EnCase after the completion of the command execution. At this point click Cancel to leave NETSH running otherwise set the Export Folder for where the Logical Evidence File should be saved. Also you will want to make sure you stop the packet capture prior to clicking OK as this initiates the file collection based on the default logical file names NetTrace.etl and Microsoft Message Analyzer can be used to review the data or to extract the PCAP contents for review using Wire Shark, Network Miner, Xplico, or etc. Microsoft Message Analyzer Download: This app was developed by instructors in support of the Guidance Software Professional Development and Training Course offerings. For more information about its use and investigative context, attend one of the following courses: Enterprise Examinations, Host Intrusion Methodology and Investigation, or Cybersecurity and Analytics.

Download Now

Version: 1
Tested with:
EnCase Forensic 7.06
Developer: John Lukach
Category: Incident Response



Incident Response


Process Windows, Linux, and OS X memory images and find running processes, parents, create dates, and more.
By Casimer Szyper
Incident Response

Hacker Offender

This App is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important by the attacker.
By James Habben
Incident Response

Volatility Reporting Plugin

Volatility 2.4 Standalone executable integration with EnCase for centralized reporting of memory forensic results through the use of bookmarks.
By John Lukach
Incident Response

Team Cymru Malware Hash Registry Search

Review evidence files to assist in learning if any might correspond to malware.
By Jeffrey Savoy