DFIR450 - EnCase EnScript Programming
Duration: 4 Days
This hands-on course introduces the student to the EnScript language, which is designed to allow users to fully tap into the data processing power of OpenText™ EnCase™ Forensic (EnCase), automate tasks, and create fully functional applications that can be shared with other EnCase users. The class is designed for students who have fundamental programming skills and wish to enhance their investigative techniques through the use of EnScript programming.
Instructors and students will write EnScript applications together. Practical exercises will be used to reinforce the tuition given during the course. Students will learn and practice the skills needed to write intermediate-level EnScript programs that automate searching, interpretation, extraction, bookmarking, and external reporting of data encountered during the examination of computer systems.
Delivery method: Group-Live. NASBA defined level: advanced.
CPE Credits - 32
This live course is intended for investigators with intermediate computer skills. A good understanding of the concepts of computer forensics and the EnCase operating environment is required. Individuals considering this course are encouraged to download and complete the EnScript Fundamentals curriculum prior to attending the EnScript Programming course. The class curriculum builds upon the foundation of the DF120-Foundations in Digital Forensics and DF210-Building an Investigation courses (formerly EnCase Computer Forensics I and II), continuing with a focus on automating computer examinations through writing EnScript programs.
Some familiarity with any programming language. Please review the reference materials and the link to the EnScript Fundamentals listed in the course description.
This course covers programming concepts, including:
- Working with case and local file system data
- Using EnScript applications to bookmark data
- Searching case data, mounting compound files, and reading XML content
- Writing data to logical evidence files
- Creating and using EnScript programs to read, bookmark, and interpret Microsoft® Windows Registry data
- Working with SQLite database files
- Creating and bookmarking custom lists and result sets
- How to create custom dialogs boxes in order to accept, validate, and process input provided by the end user
Notwithstanding that the EnScript language is not as fully featured as those languages, it is still expansive and continues to undergo rapid development; it is therefore not possible to cover every aspect of the language in four days. That said, the course aims to give students a good grounding in those areas of the EnScript language that are most likely to be of benefit during day-to-day forensic examinations.
Programming experience is not a prerequisite for attending the course so as not to discriminate against examiners who would like to learn how to harness the power of EnScript programming but have little or no programming experience. Unfortunately, experience has shown that this can lead to quite a gap between those attendees who are experienced programmers and those who have little or no programming experience.
To try and bridge this gap, those sections of the student manual that document fundamental EnScript programming concepts (variables, operators, flow control, functions, and basic class usage/construction) are available for anyone to download in a PDF document free-of-charge. This document, which is entitled “EnScript Fundamentals,” can be downloaded from the following URL:
Inexperienced programmers are expected to review the content of the EnScript Fundamentals document in their own time so as to ascertain if the course is right for them. If they decide to attend the course, they should ensure that they have a good working knowledge of the programming concepts contained therein. Two practical exercises are included (together with suggested answers) to assist with this.
Please note the following: