Friday, July 23, 2010

EnScript Programming Course in Sydney

It has been several weeks since my last post and I have been fairly busy, but I thought I would post a quick update.

I just finished an EnScript Programming course in Sydney, Australia. I have to say, the students who attended the course were very sharp. All of them immediately began to come up with ideas and ways to use EnScripts in their workloads.

A couple of ideas that came from the students were using an EnScript to parse through all the archive files and extract all the user-defined file-types, such as JPGs, GIFs & PNGs from inside the archives and then create a new LEF with just those files. THe thought process was sometimes the image you are examining has a lot of archive files and mounting them all at once is a memory/resource issue. By putting them all in a LEF, EnCase does not need to virtually reconstruct the archive in memory, so its less of a resource problem.

Another idea was using an EnScript to access the Document view in EnCase and extract embedded graphics in office docs and other document types and then be able to export or collect those images separately to be able to quickly see the images that are embedded within files, without having to read the docs.

Brian Jones has come up with several EnScripts that have been posted to the Guidance support portal, you should check them out.

It was a great class and great students, very inspiring to see people coming up with new ideas to leverage the power of EnScripts. I am now off to Melbourne to teach another EnScript class there.

Here are a few pictures from class:








4 comments:

Linde Sunday, 25 July, 2010  

Sounds great. Are you planning doing any EnScript courses anywhere in Europe? If so, please announce that :)

I've just checked the EnScript Resource Center and no scripts from Brian Jones there.:(

Lance Mueller Sunday, 25 July, 2010  

Linde,

I have a course in January in Netherlands. I am not sure where in Europe you are, but I am happy to come wherever if you want to host one ;)

Check this link:
https://support.guidancesoftware.com/forum/showthread.php?t=37880&highlight=brian

Anonymous Sunday, 25 July, 2010  

Not sure ... but that file-mounting task you menation, sounds just like the File Mounter Enscript already included with Encase. Or perhaps there was something more involved that made that particular solution unsuitable?

Lance Mueller Monday, 26 July, 2010  

Anonymous,

You are correct. The file mounter EnScript does almost exactly what we wanted. The main difference was that we wanted to generate one LEF for each archive. The File mounter EnScript will generate one LEF for all files. Basically the same solution, except in this case we wanted to limit the size of each LEF in case there were a large number of files (hundreds of thousand) that matched our criteria and we would end up with one huge LEF.

The only other difference was we added a condition dialog letting us use the typical condition type criteria (name, extension, size, date, etc..) as the way to select which files inside the archives we wanted to put in our LEFs.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles