DFIR450 - EnCase EnScript Programming

Have questions about training?   Contact us

Duration: 4 Days

This hands-on course introduces the student to the EnScript language, which is designed to allow users to fully tap into the data processing power of OpenText™ EnCase™ Forensic (EnCase), automate tasks, and create fully functional applications that can be shared with other EnCase users. The class is designed for students who have fundamental programming skills and wish to enhance their investigative techniques through the use of EnScript programming.

Instructors and students will write EnScript applications together. Practical exercises will be used to reinforce the tuition given during the course. Students will learn and practice the skills needed to write intermediate-level EnScript programs that automate searching, interpretation, extraction, bookmarking, and external reporting of data encountered during the examination of computer systems.

Delivery method: Group-Live. NASBA defined level: advanced.

CPE Credits - 32


This live course is intended for investigators with intermediate computer skills. A good understanding of the concepts of computer forensics and the EnCase operating environment is required. Individuals considering this course are encouraged to download and complete the EnScript Fundamentals curriculum prior to attending the EnScript Programming course. The class curriculum builds upon the foundation of the DF120-Foundations in Digital Forensics and DF210-Building an Investigation courses (formerly EnCase Computer Forensics I and II), continuing with a focus on automating computer examinations through writing EnScript programs.


Some familiarity with any programming language. Please review the reference materials and the link to the EnScript Fundamentals listed in the course description.


This course covers programming concepts, including:

  • Working with case and local file system data
  • Using EnScript applications to bookmark data
  • Searching case data, mounting compound files, and reading XML content
  • Writing data to logical evidence files
  • Creating and using EnScript programs to read, bookmark, and interpret Microsoft® Windows Registry data
  • Working with SQLite database files
  • Creating and bookmarking custom lists and result sets
  • How to create custom dialogs boxes in order to accept, validate, and process input provided by the end user


The EnScript language has its roots in C++ but also mimics some of the functionality offered by C#, Java, and JavaScript.

Notwithstanding that the EnScript language is not as fully featured as those languages, it is still expansive and continues to undergo rapid development; it is therefore not possible to cover every aspect of the language in four days. That said, the course aims to give students a good grounding in those areas of the EnScript language that are most likely to be of benefit during day-to-day forensic examinations.

Programming experience is not a prerequisite for attending the course so as not to discriminate against examiners who would like to learn how to harness the power of EnScript programming but have little or no programming experience. Unfortunately, experience has shown that this can lead to quite a gap between those attendees who are experienced programmers and those who have little or no programming experience.

To try and bridge this gap, those sections of the student manual that document fundamental EnScript programming concepts (variables, operators, flow control, functions, and basic class usage/construction) are available for anyone to download in a PDF document free-of-charge. This document, which is entitled “EnScript Fundamentals,” can be downloaded from the following URL:


Inexperienced programmers are expected to review the content of the EnScript Fundamentals document in their own time so as to ascertain if the course is right for them. If they decide to attend the course, they should ensure that they have a good working knowledge of the programming concepts contained therein. Two practical exercises are included (together with suggested answers) to assist with this.

Please note the following:

  • The subject matter contained in the EnScript Fundamentals document will not be covered in class in order to save time and allow for better coverage of those topics that are specific to EnCase software and EnScript programming.
  • It is not possible to provide tuition in advance of the course. If prospective students have any questions regarding the material contained in the document, they are advised to post them to the Security/EnScript forum on MySupport.
  • Experienced programmers should also read the EnScript Fundamentals document to familiarize themselves with some of the differences exhibited by EnScript in comparison with other programming languages, class construction in particular.

     Course Syllabus


Format Currency Price
Per Student at OpenText Site 2,440.77
Per Student at OpenText Site GBP 2,211.51
Per Student at OpenText Site USD 2,995.00

Taxes: All prices exclude VAT or other taxes where applicable (all currencies).

Extra expenses: Customer site course prices do not include instructor travel expenses, which are billed separately.

Reservations: Please provide a minimum of 3 weeks advance notice when arranging courses at customer sites.

Course and workshop calendar

Below is a listing of all the currently available dates and locations for this course or workshop from OpenText.

Date Course type Course name Language Location Price Currency Add
Nov 30, 2021 On-site DFIR450 - EnScript Prog English Virtual Classroom - Europe GSI UK Time 2,211.51 GBP Add to cart
Feb 08, 2022 On-site DFIR450 - EnScript Prog English GSI-Reading, UK 2,211.51 GBP Add to cart
Feb 08, 2022 On-site DFIR450 - EnScript Prog English Virtual Classroom - Europe GSI UK Time 2,211.51 GBP Add to cart
May 10, 2022 On-site DFIR450 - EnScript Prog English GSI-Gaithersburg, MD 2,995.00 USD Add to cart
May 10, 2022 On-site DFIR450 - EnScript Prog English Virtual Classroom - North America GSI Eastern Time 2,995.00 USD Add to cart