Extend the power of EnCase® with EnCase apps and tap into the expertise of our community of expert EnScript® developers. EnCase apps save you time and money in your investigations and will help you make your case—faster!


Dumpkeychain is a Windows command-line utility for decrypting credentials from Mac OS X
system and user keychains given the associated system-key-file or keychain-password
respectively. Mac OS X user keychains often contain many Internet account passwords login credentials and secure notes.The system keychain contains Wi-Fi passwords and other shared credentials.

App of the Month

iOS Lockdown Extraction

iOS devices have the ability to be password protected. If the examiner doesn't know the password,
the device will not be able to be acquired...Unless: If the examiner has the computer that an iOS
device has been synced to in the past, then there is a folder known as the "lockdown" folder which
holds trust keys. Move the lockdown folder from the subjects computer into the examination
computer, and the iOS will now trust the examination computer and there will be no need for a pw.

Evidence Center 2013

Belkasoft Evidence Center Pro
automates the discovery of many types of
digital evidence from suspects’ hard drives, volatile memory dumps, page and hibernation files.

Partner of the Month

DS_Store Parser

Parse Apple .DS_Store files and find such information as the original path of items in the Mac OS X Trash folder.

VSS Examiner

Quickly and easily identify and preserve data of interest in Microsoft Windows volume shadow copies.

Copy Web Browser Files

A script to search for and copy/export web browser history and cache files to a folder for analysis using 3rd party tools.

Entry Bookmarker

This script will bookmark in groups all blue checked entries by evidence file, year, month, day, weekday, and session.

Low Hanging Fruit

Export unique hashes for all entries that are unknown to NIST.

Messenger Protocol Fragments

Search for MSN and MSN Live Messenger protocol fragments. In many cases, this app can retrieve important protocol data even when chat logging is disabled.

Windows Executable Packer Detection

Analyze Windows executables and detect modification by a packer or cryptor.