{"id":10176,"date":"2025-10-17T22:12:33","date_gmt":"2025-10-17T22:12:33","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10176"},"modified":"2025-10-17T23:19:06","modified_gmt":"2025-10-17T23:19:06","slug":"forensics-of-the-past","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/10\/17\/forensics-of-the-past\/","title":{"rendered":"Forensics of the past"},"content":{"rendered":"\n
Few days ago my buddy and I had a chat about so-called old-school forensics. The one where you often used Encase, and – if you were inclined enough – EnScript scripting.<\/p>\n\n\n\n
This convo led me to my old Enscript code that I wrote over 15 years ago.<\/p>\n\n\n\n
At that time I worked for a consulting firm that was specializing in analysis of carding-related breaches, and we often saw the very same Threat Actors attacking victims in a hospitality and catering sector all over the place. Thanks to my reverse engineering skills, I ended up doing a lot of malware analysis tasks for the whole team back then + since I was very interested in automation, I ended up developing a very basic and rudimentary triage<\/code> Enscript script that one could just run immediately after they mounted an image in Encase.<\/p>\n\n\n\n
Reviewing that code this week… the code I wrote so many years ago… made my jaw drop.<\/p>\n\n\n\n
The stuff my script was looking at, and doing, back then… can be seen as a very early threat hunting exercise focused on a data from a single endpoint. An exercise where the artifacts were extracted in an automated fashion, bookmarked for review, and organized into a hierarchy that was supporting that quick&dirty review process:<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/enscript_og1.png\")
<\/a><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/10\/enscript_og2-1024x950.png\")
<\/a><\/figure>\n\n\n\n