Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

VirusTotal Bookmark

This EnScript submits the hash value of files tagged with the 'VirusTotal' label via a public API to Virus Total to see if it is known as malware.

Virus Total is a free service that analyzes suspicious files and URLs and acts as an information aggregator. The results are the output of different antivirus engines, websites scanners, file and URL analysis tools and user contributions.

Virus Total provides a free public API via their website: www.VirusTotal.com

Sign up to be a member of the VirusTotal ‘community’ to obtain their public API. The API can be found under the profile menu once you’ve confirmed your new account.

Once you’ve downloaded your EnScript and obtained the Virus Total API, you’ll need to create a new tag within EnCase and label it ‘VirusTotal.’ With these items in place you can now tag potentially suspicious items within your case using the ‘VirusTotal’ tag.

Having tagged these items, run the script from the EnScript toolbar menu. The initial screen will ask for your Virus Total API key and the bookmark folder you’d like the info stored in.

With the public API you are able to submit up to (4) four requests a minute. If more than four items are submitted the EnScript will go into a wait loop and then resubmit once the minute limit has expired.

It will then send the hash file to Virus Total to see if that hash value is known. If the file with that hash value was previously analyzed, then the VT score is obtained and noted in the bookmark under the console tab.

A zero score would signify that none of the AV engines identified it as malware/dangerous, while any other positive number would signify the number of AV engines that identified it as bad. The EnScript does not send or transmit any data from within the file(s) you have tagged; it only sends the hash value. Therefore, if the score comes back as zero, that does not necessarily mean the file is safe. It just means that the file with that hash value has never been previously analyzed or it was analyzed before and it is just not detected as malware/dangerous.

The intended use of this EnScript is to identify hash values that have a POSITIVE score to draw attention to those files that should be immediately looked at further rather than disregarding those that come back with a zero score.

www.Forensickb.com.
Customized EnCase EnScript development (v6 & v7) Customized Forensic Automation / Workflow Efficiency

Download Now



Version: 2
Tested with:
EnCase Forensic 7.1
Developer: Lance Mueller
Category: Incident Response

3305 DOWNLOADS

YOU MAY ALSO LIKE

Incident Response

MemoryAnalysis

Process Windows, Linux, and OS X memory images and find running processes, parents, create dates, and more.
By Casimer Szyper
7440 Downloads
App
Incident Response

Hacker Offender

This App is designed to discover files that are hidden by rootkits. It will place all detected files into a LEF for further analysis. This may include the malware and additional files deemed important by the attacker.
By James Habben
5371 Downloads
App
Incident Response

Team Cymru Malware Hash Registry Search

Review evidence files to assist in learning if any might correspond to malware.
By Jeffrey Savoy
5094 Downloads
App
Incident Response

Volatility Reporting Plugin

Volatility 2.4 Standalone executable integration with EnCase for centralized reporting of memory forensic results through the use of bookmarks.
By John Lukach
5091 Downloads
App