EnScripts – USNJrnl.enscript

As I have mentioned previously one of the things I want to learn to make me a better Forensic Analyst is Python. Mainly because Kev can’t complete a sentence at work without mentioning it and also because I am inherently lazy and have been led to believe python can do lots for me.

I recently read an excellent blog post about using python scripts within EnScripts, written by James Habben which gave a great tutorial on using the power of the Python scripting language within EnCase.  Now I have a real love for EnScripts because as I said before I am inherently lazy (sometimes I wish I was) and I like it when I can automate processes.  So I worked with Kev on the creation of an EnScript for AnalyzeMFT.py which you can read about on his blog.  I must point out here I am a complete beginner with both Python and Enscripts so have relied heavily on the teachings of Kev and also the very useful blog posts by James but as I gain more experience I hope to add to that knowledgebase in the future.

Python Install

First thing I needed to do was install Python and for it to work with EnCase it would need to be the windows version, although be aware there is a powerful command line version for linux also.  I am using the 2.78 version of Python found here. Then it was a case of performing a windows install.

At this point I also want to add python to my environment variables ($Path) which will allow me to run it from the windows command line with more ease.  To do so right click My Computer and go to Advanced System Settings, then click on Environment variables and you will be presented with:

python $Path

Edit the path variable and at the beginning of the text box add C:\python27;

So now we have python installed I am good to proceed.

After we completed the work on AnalyzeMFT I went looking for another python script that might benefit from being adapted for use in EnCase and having used the below script before and it’s csv output in analysis I thought usnJrnl was ideal for me to cut my teeth on.

UsnJrnl

I  downloaded the UsnJrnl parser from the authors page.  When the python script initially downloads it’s named UsnJrnl-24NOV09.py but for the enscript I renamed it to usnjrnl.py. I then created C:\scripts to store my python scripts and placed usnjrnal.py within it. I don’t need to make any modifications to the python script just store it in my scripts folder.

UsnJrl EnScript

Now it was the EnScript where I was going to make a few alterations and additions to make things work for me but the EnScript provided by James in his above blog is an excellent foundation for working against a single artefact with a csv output expected.

The changes I made to the basic EnScript were as follows:

The processing of the UsnJrnl file can take some time so we decided to add a line of code that would output to the console stating that the file was being copied out to a temp folder (This is where EnCase runs against the artefact). So we added:

11.  Console.WriteLine("Copying file to tmp location please wait");

The next part of the code is one that needs to be amended so that EnCase can find both the python program and the enscript it needs to run in python so we amend line 14 as so:

13.  String pythonPath = "C:\\Python27\\python.exe";
14.  String pyScriptPath = "C:\\scripts\\usnjrnl.py";

So as you can see I have added the location of the usnjrnl script and the location of the python executable remains the same.

The next additions/amendments to the EnScript were:

15.  String py_arg_in = outputFile.Name();
16.  String py_arg_out = c.ExportFolder() + "\\" + "usnjrnl";
17.  Console.WriteLine("Processing $UsnJrnl.$J");

Line 15 was an amendment to code already present and the reason for the amendment was to inform EnCase where the UsnJrnl had been exported to within the temp folder.

Line 16 was an addition to the script because We needed to tell EnCase where to export our final csv to and what to call it

Line 17 was an addition because as before when extracting the UsnJrnl it had the appearance that nothing was happening, therefore the addition of this console output lets the user know it is processing.

The next part of the EnScript deals with EnCase telling python what it needs to do:

18.  ExecuteClass exe();
19.  exe.SetFolder(pythonPath.GetFilePath());
20.  exe.SetApplication(pythonPath);
21.  exe.SetCommandLine(String::Format("\"{0}\" -c -f \"{1}\" -o \"{2}\"", pyScriptPath, py_arg_in, py_arg_out));

Basically we are telling EnCase to start Python and line 21 is the command line we wish to run against the file that was exported to the temporary folder and we want our csv out put to be sent to our cases export folder and named usnjrnl.

The flags used on the command line are:

  • -c Creates a csv output
  • -f Input file name
  • -o Output file name

The next amendment is another console instruction:

23.  Console.WriteLine(String::Format("CSV File Written out to {0}.csv", py_arg_out));

This lets the user know that the file has been written to the export folder.

Finally we have one last line to instruct the user via the console that processing has completed:

27.  Console.WriteLine("Processing Complete!\n{0}", SystemClass::LastError());

Once complete it was saved as a .enscript and I placed it into my default EnCase folder for use within EnCase.

Running the EnScript

Running the EnScript involves selecting the $UsnJrnl:J file with EnCase and then on the dropdown EnScript menu selecting Run and choosing our new EnScript.

usnjrnl enscript

In the Console you can see the results of the extra console lines that we added:

usnjrnl Console

Now when we go to the export folder for the case we will find our newly created usnjrnl.csv file for analysis:

usnjrnl output

As a result of this new journey into the world of EnScripting I have reached another geek milestone and am now the proud owner of a Github repository!  The usnjrnl EnScript can be found on my Github.

When I get the time I plan to use James latest blog post which takes us a step further and allows us to add a nice GUI to the EnScript.

I would like to take the opportunity to massively thank Kev for his assistance in helping me understand and implement the coding and also to James for putting the challenge out there for members of the community to explore the power of Python and EnScripts.  I look forward to the learning journey ahead as it has already bore much fruit for me and I hope others will get use out of the EnScript and this blog.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>