I just finished a second week of EnScript training in Melbourne, Australia with an Australian training partner named Invest-e-gate (website down for remodel at the moment). The founder of the company and I used to work together at Guidance a lifetime ago, but it was great to see him again and to find that he is staying on the cutting edge of things, just like usual.
It was a great group of students, very committed and interested in taking the use of EnCase to the next level through automation and getting some results and configurability that you can't get through the canned version of EnCase. It was amazing to spend two weeks in Australia in two separate cities but to have back-to-back classes with such committed and smart students. All of the students were able to get through the formal lessons quickly, so we spent a lot of extra time developing personal projects and ideas.
Many students had several great ideas on how to use the EnScript features, including sending lots of data inside of EnCase to a database and collecting the data from several different examiners. Some of the other ideas put to use by the students was to use EnScript to help categorize bookmarks (images) for quick triage.
If you rely on hashing a lot, a idea for thought is using the power of EnScript to *quickly* hash a small portion of each file (say 20 bytes) and then create a sub-set of "possible" matches. Then you can invest the time and effort to hashing the entire file programmatically. This can dramatically reduce the amount of time you spend doing hash comparisons, since the process of generating a hash is the time consuming part. Generating a hash of a small area of the file is way quicker and lets you reduce the pool of possible entries that may match your full-sized hash values and therefore lets you spend a lot less time generating hashes on all the files.
If you do hash analysis a lot, you can also reduce your hash comparison speed if you start collecting hash values and file sizes of each file you want to identify (NIST hash sets have file size). You can then use an EnScript to first look for files that are the same size as the ones in your list, then only hash those, since if the file size if different, the hash will have to be different and therefore there is no need to invest the time or computing power to hash it.
We also spent some time discussing entropy and how to use that programmatically to identify files with different hash values, but with similar content, as well as using it to help find malware. Great stuff!
Here are a few cheesy shots from class in Melbourne.
If you are in and around Australia and need forensic training, I highly recommend invest-e-gate. State of the art training facilities and like I mentioned, they are doing some cutting-edge stuff in all areas of security & forensics.