Saturday, July 31, 2010

EnScript Programming Course in Melbourne, Australia

I just finished a second week of EnScript training in Melbourne, Australia with an Australian training partner named Invest-e-gate (website down for remodel at the moment). The founder of the company and I used to work together at Guidance a lifetime ago, but it was great to see him again and to find that he is staying on the cutting edge of things, just like usual.

It was a great group of students, very committed and interested in taking the use of EnCase to the next level through automation and getting some results and configurability that you can't get through the canned version of EnCase. It was amazing to spend two weeks in Australia in two separate cities but to have back-to-back classes with such committed and smart students. All of the students were able to get through the formal lessons quickly, so we spent a lot of extra time developing personal projects and ideas.

Many students had several great ideas on how to use the EnScript features, including sending lots of data inside of EnCase to a database and collecting the data from several different examiners. Some of the other ideas put to use by the students was to use EnScript to help categorize bookmarks (images) for quick triage.

If you rely on hashing a lot, a idea for thought is using the power of EnScript to *quickly* hash a small portion of each file (say 20 bytes) and then create a sub-set of "possible" matches. Then you can invest the time and effort to hashing the entire file programmatically. This can dramatically reduce the amount of time you spend doing hash comparisons, since the process of generating a hash is the time consuming part. Generating a hash of a small area of the file is way quicker and lets you reduce the pool of possible entries that may match your full-sized hash values and therefore lets you spend a lot less time generating hashes on all the files.

If you do hash analysis a lot, you can also reduce your hash comparison speed if you start collecting hash values and file sizes of each file you want to identify (NIST hash sets have file size). You can then use an EnScript to first look for files that are the same size as the ones in your list, then only hash those, since if the file size if different, the hash will have to be different and therefore there is no need to invest the time or computing power to hash it.

We also spent some time discussing entropy and how to use that programmatically to identify files with different hash values, but with similar content, as well as using it to help find malware. Great stuff!

Here are a few cheesy shots from class in Melbourne.

Anyway, I am now back in Bangkok and I am planning on doing another EnScript course at the beginning of the year, hopefully in the Netherlands. If anyone else is interested in hosting a class, please let me know and we will see if we can pull off a course in your area. Meanwhile, back to work and hopefully some new upcoming blog posts & practicals!

If you are in and around Australia and need forensic training, I highly recommend invest-e-gate. State of the art training facilities and like I mentioned, they are doing some cutting-edge stuff in all areas of security & forensics.

Invest-e-gate Pty Ltd
+61 3 9016 4451


Razzberry Corner Sunday, 01 August, 2010  

Thank you for the info about the Melbourne class. I had researched Enscript training and had requested to go to that very class, but of course my work disapproved it (considering I'm in Washington, DC, I guess they figured there was a closer class)!


lance mueller Sunday, 01 August, 2010  


Sorry we missed you AUS. Maybe your employer will let you attend one in the Netherlands, Middle East or Asia?? ;)

Contus Tuesday, 10 August, 2010  

Thanks for the nice information...

Anonymous Wednesday, 08 September, 2010  


Do you have any details of the Netherlands course please? I am interested in attending

Lance Mueller Thursday, 16 September, 2010  


Details on the class are still being worked out. As soon as it is worked out, I will post here.


Anonymous Thursday, 23 September, 2010  

How about the class in Middle East, would you mind sharing the info. I am currently in Dubai, UAE.

Thanks in advance.

Lance Mueller Thursday, 23 September, 2010  

If you have any interest in having class in your area, please contact me at lance (at) so I have a way of contacting you so I can create an interest list for the various cities.


Anonymous Monday, 11 October, 2010  

Hey Lance
Are you planning to have a class in INDIA?

Dominick Sunday, 02 October, 2011  

Students of Melbourne are really smarter than any other country. This is my first visit to this site and i find lot of interesting stuffs here.



ashely Saturday, 20 October, 2012  

Groupon Clone is a successive business model in the world, we
can avail great deals through this model, do visit

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles