The script is designed as an aid to scanning multiple files using one or more *.yar or *.yara files each containing one or more YARA rules.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.

The script provides the option to scan selected items in the current user view (does not work with records), all and tagged items.

An internal condition can be used to further control processing. For example, it can be used to target *.exe and *.dll files.

In order to operate, the script uses the libyara.NET API, which in turn wraps the YARA C API.

The version of libyara.NET used by this version of the script targets YARA version 4.5.1.

Each file is sent to the .NET API as a memory stream. The results are converted to JSON before being streamed back to the EnScript for interpretation and bookmarking.

Due to this mode of operation, the script will not attempt to process deleted files or those larger than 2GB in size.

Accordingly, the script is not suited to processing RAM dumps, pagefile.sys or hiberfil.sys.

The fast scanning option makes scanning a little faster by avoiding multiple matches of the same string when not necessary. Once a string has been found in a file it’s subsequently ignored, which will result in a single match for the string, even if it appears multiple times in the scanned data.

Output is by way of the console, bookmarks, and optionally, JSON files written to a nominated export folder.

It should be noted that data found as a result of string searching will be Base64 encoded in each JSON output file.

This script was developed for use as part of EnCase training. For more details, please visit the following links:

• EnCase Forensic Learning Paths
• EnCase Endpoint Security Learning Paths