Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Windows Device Properties Parser

Notwithstanding that the EnCase System Information Parser already provides a lot of useful device-related information, the script outputs additional information, e.g., the last-removal (disconnected) date. It also links each device to its device-container, which has additional properties, e.g., the location of any custom container-icon that's been cached to the system disk.

Device containers are a relatively new concept in Windows. They reflect the fact that a single physical device may present more than one logical device.

For example, a removable USB disk will typically present at least 4 logical-devices: a USB-storage device, a disk, a Windows portable device (WPD), and one or more generic volumes.

Later versions of Windows link these devices through use of a GUID called the ContainerID.

Using the ContainerID to filter the spreadsheet and/or bookmarks produced by the script will allow the examiner to group together all of a physical device's properties in a way that may reveal relevant information that might otherwise be missed.

Please note that the script processes the current control set (CCS) only. It will not process the DEVPKEY_DeviceContainer_AssociationArray property on account of persistent corruption experienced when the underlying Registry hive file is parsed by EnCase without the associated log files.

For more information regarding device properties, please see the following link:

Download Now



Version: 1.0
Tested with:
EnCase Forensic 8.08
Developer: Simon Key
Category: Artifact

52 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9974 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
7638 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
381 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
226 Downloads
App