478
EnCase Forensic Version 6.11 Userʹs Guide
To remove the association, clear the check box.
In This Chapter
EnScript
Analysis
479
Enterprise EnScript Programs
481
EnScript Example Code
499
Packages
505
Send To HBGary Responder EnScript
511
CHAPTER 13
EnScript Analysis
480
EnCase Forensic Version 6.11 Userʹs Guide
EnScript Analysis
The EnScript
®
language is a scripting language and Application Program Interface (API). It is
designed to operate within the EnCase
®
software environment. Although similar to ANSI C++
and Java, not all the functions available in these languages are available. The EnScript language
uses the same operators and general syntax as C++, though classes and functions are different.
Classes, and their included functions and variables, are found in the EnScript Types panel in the
Tree pane.
Note: For general information on a particular element, highlight it in the Code panel and press F1 to find
the element in the EnScript Types panel.
EnScript programs allow investigators and programmers to develop utilities to automate and
facilitate forensic investigations. The programs can be compiled and shared with other
investigators. A programming background and an understanding of object‐oriented
programming are helpful for coding in EnScript.
Note: For more detailed information on the EnScript programs included with the EnCase application, refer
to the EnCase Programs User Manual.
Note: For additional help in programming with the EnScript language, you can attend a training class or
visit the EnScript message board.
EnScript Analysis
481
Enterprise EnScript Programs
Enterprise EnScript programs contain programs typically used with enterprise cases. Many of
these programs require a SAFE to be set up to properly use them.
The available Enterprise Enscript Programs are:
Document Incident: used to generate a report containing the details of an incident that required
investigation.
Machine Survey Servlet Deploy: used to manage, deploy, remove and install SAFEs and
servlets to machines on the network.
Quick Snapshot: used to quickly take a snapshot of a machine that is currently being
investigated.
Remote Acquisition Monitor: used to monitor remote acquisitions between the servlets and a
network storage device.
Snapshot Differential Report: used to report on differences of snapshots take over a period of
time.
Sweep Enterprise: used to conduct thorough examinations on computers specified from the
network tree.
To view Enterprise EnScript programs:
1.
In the Filter pane, click EnScript to display the EnScript panel.
2.
Open the Enterprise folder from the EnScript tree to see available scripts listed in the
Table pane.
3.
To run a script, double‐click it in the table.
482
EnCase Forensic Version 6.11 Userʹs Guide
Document Incident
Use Document Incident to generate a report containing details of an incident that required
investigation.
Open a case.
1.
Double‐click on the Document Incident EnScript Program.
2.
Enter the following details in the General Info tab:
Incident Reference Number
Primary Contact
Alternate Contact
Incident Timing
EnScript Analysis
483
3.
Click the Incident Details tab and enter information in the following fields:
Incident Type
Other Type
Status
Intent
Incident Cause
Incident Impact
Affected Systems
484
EnCase Forensic Version 6.11 Userʹs Guide
4.
Click the Conclusion tab and enter the recommended course of action and comments:
5.
Click
OK
The Program generates a report. Click the name of the incident in the bookmarks panel to view
the report in the table pane.
Machine Survey Servlet Deploy
Use Machine Survey Servlet Deploy to deploy servlets to machines on the network.
To use this method of deployment, you will need the following:
IP addresses, or a range of all nodes where you want to deploy
A common username and password for all nodes where you want to deploy
To deploy servlets using Machine Survey Servlet Deploy:
1.
Open the EnCase Program.
2.
Click the
EnScript tab in the filter pane.
3.
Expand the Enterprise folder by clicking the + next to it.