by Dr. Radut

FCNS_PE

FCNS_PE is a EnScript for carving and parsing PE format.

FCNS PE 01

Open the case or create new case, add evidence then launch this EnScript. The following options are available.

  • Target
    • Selected: blue-checked file/object
    • Other - $LogFile, pagefile.sys, Unallocated Clusters: enable/disable by each check box
  • Filtering Option
    • Min Size/Max Size: carving size by KB
    • Only search the start of each sector: it may takes time if you choose this option
    • Carve out overwritten data: this EnScript only checks duplicate PE signature within the scope of carving
  • Export
    • LEF File: specify the file path carving PE
    • TSV File: specify the file path parsing PE

Download

FCNS_PE_1.0.1.EnPack (SHA1: e77b59f9d7c94f084732ae7d1ea58e2cc32f23ed)

License

You may use the SOFTWARE freely for personal or commercial and NO WARRANTIES.

Requirements

EnCase 7.x

Background

File Carver module is for file carving on EnCase v7. It is based on File Type table which describes specific header/footer signature with each format. If the footer is not defined, File Carver relies on the specified value at Default Length field. However, File Carver works more intelligence with some format which is registered at Optimized type.

FileCarver 01

Unfortunately it doesn't contain PE format(exe, dll, sys) as Optimized. So File Carver relies on 'MZ' signature and Default length for PE format.

FileType MZ

PE format detail is published by Microsoft so we can get the accurate file size by interpretation of the PE structure. Mr. Haruyama has already implemented this idea as EnCase v6 EnScript PFDCforPE. I rewrote this approach for EnCase v7 and added some improvements.

Feature

PFDCforPE has unique feature that checks difference between entropy, tries to detect packer or something. FCNS_PE doesn't have these feature, implemented checking duplicates and parsing Version Information Structures instead.

The following is the result after FCNS_PE finished carving at Unallocated Clusters for sample evidence.

FCNS PE 02

You can see the summary and log on Console view. Generated LEF contains the result of carving PE by extension (EXE, DLL, SYS).

FNCS PE 03

Generated TSV File contains source/meta information.

FCNS PE 04

Reference

Some Old Stuffs - CCI (PFDCforPE parse/filter/detect/carve PE files)
http://takahiroharuyama.github.io/blog/2014/01/05/some-old-stuffs/

Microsoft PE and COFF Specification
http://msdn.microsoft.com/en-US/windows/hardware/gg463119

Version Information Structures
http://msdn.microsoft.com/en-us/library/windows/desktop/ff468916(v=vs.85).aspx

History

2015/04/19

I added "VSS" in Target - Other. However, a noise may be contained in this results because the EnScript doesn't parse structure of VSS. It is recommended If you found PE file in VSS Store. The EnScript have also adjusted timezone with evidence.