Tuesday, September 4, 2007

EnScript Tutorial - Part I

This will be the first tutorial in a series in an attempt to try and teach some basic EnScript concepts. First, some disclaimers: I am not a programmer by profession. I have learned the EnScript language out of necessity to automate processing of evidence and have since written many EnScripts, some of which are now part of the public release version of EnCase and some of which are given to students during EnCase training, but I certainly don't consider myself an expert in writing EnScripts.

The purpose of this tutorial is to try and provide some basic concepts and instruction to an EnCase user who also does not have any programming experience so they can write some basic EnScripts and/or modify existing ones for a specific need.

I have been teaching various EnCase training classes for almost the past 5 years and it amazes me at the answers I get from students when I ask about EnScripts, Filters and Conditions. Most know they are in the lower right pane of EnCase and many know some of the “canned” EnScripts that everyone seems to use (Initialize Case), but very few can describe filter, conditions or queries. So lets first discuss these four topics so you understand their differences and understand which may be the better solution to your automation need.

EnScripts

The EnScript tab gives you access to the built-in EnScript editor and allows you to see the code for the EnScript, as long as it isn’t compiled (EnPack format). An EnScript is the most powerful automation feature but it is also the most raw. “Raw” meaning that the EnCase software does very little for you automatically and your EnScript is responsible for doing everything you want to do, unlike a condition that we will discuss later. The EnScript programming language is very “Java-ish” and C++. If you have any experience with those two languages, then learning the EnScript language should be a snap.

An EnScript can do almost anything you want. It can access just about everything you the user can access or see inside EnCase. It can create folders and files on the local file system (not the evidence, the evidence file can never be altered via EnCase). In the Enterprise Edition, it can create directories and files on remote machines as well as delete them. It can also execute other win32 programs.

When you create an EnScript for the first time, EnCase provides the absolute minimum code for you:

class MainClass {
       void Main(CaseClass c) {
       }
}

This code will run, but does absolutely nothing. It is just the absolute minimum code that must be present to be a valid EnScript. When writing an EnScript, you are responsible for writing everything else. EnCase does nothing automatically for you.

Filters
A filter is an EnScript. It is the same language. The only difference is that a filter is designed for a specific purpose, to filter what you see. The original concept was to filter our files/folders based on some type of criteria; i.e. file extension, size, name, whatever. EnCase treats filters a little different than raw EnScripts. This is because EnCase is actually doing some work behind the scenes for you in an effort to “filter” what you see in the evidence. The code in a filter can do just about anything a raw EnScript can do, but it must answer one important question. Do you want to see files/folders (called entries) that match your criteria? If you do not answer that question in your code, your filter will not run.

EnCase actually does some background processing for you with a filter by automatically recursing all the evidence. Recursing means it looks at every entry in your evidence and then asks you, do you want to see this entry or do you want to hide it from view? Here is the minimum code required for a filter:

class MainClass {
       void Main(EntryClass entry) {
          return true;
       }
}

There are two major differences between this code and the code presented above. First, the parameter being passed to the main function is different (CaseClass c vs. EntryClass entry) and the second being the one added line that states, “return true”. This line is responsible for answering that question I mentioned above, “Do you want to see this entry or hide it from view”? So with a filter, EnCase gets every entry in all your evidence, one by one and then executes this code for every entry. It reads the above code that says “return true”, meaning show me this entry. EnCase then gets the next entry and does it again, until it goes through every entry in your evidence. If you have 20,000 entries in a piece of evidence, then this code will execute 20,000 times. If you changed the line to say, “return false”, EnCase would hide every single entry from your view until you removed the filter.

Conditions
A condition is exactly the same as a filter, except you don’t need to know how to write EnScript programming language. The condition tab allows you to use user-friendly criteria or selections to automagically write a filter. By selecting certain criteria, such as name, contains, “mytext”, EnCase will automagically generate the necessary EnScript code to perform that filter.

Queries
A query is nothing more that two or more filters put together. The filter and condition tab have a limitation that only allow you to apply one filter at a time. By using a query for example, if you have a filter that only shows you files that are larger than 10,000 bytes in size and another filter that only shows you files with the extension of JPG, you could create a query that would take those two filters and apply them simultaneously, the result would be only files with a JPG extension whose size is greater than 10.000 bytes would be displayed.

In the next part, I will begin to explain the EnScript programming language and how to perform simple actions.

4 comments:

Robyn Friday, 16 July, 2010  

How vital do you think this is utilized on a day by day basis? I am new into the field and am trying to gather as much info as possible. I am currently going to college with this as my degree field and I had never heard of EnScript. I want to cover all of my bases so to speak.

Lance Mueller Monday, 19 July, 2010  

Robyn,

EnScript is a vital part of forensic examinations, if you use EnCase. Many examiners use pre-written "bottled" enscripts to gain additional information. If a person has a desire to learn the language then they can automate so many other things and customize all sorts of reporting features.

Lance

Monie Wednesday, 01 December, 2010  

I am pursuing studies in the area with the view of creating standardised tool. I am exploring all options I am not sure if enscript would be versatile enough for this. Never heard of it before either and I did not realise Encase had such facilities. Interesting, you bet I will be going through your tutorials. Are you available for general contact and comments?

sms spy Friday, 27 May, 2011  

hey, your tutorial was very easy. i am a beginner and it had helped me out a lot to understand what i was looking at. Thank you.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles