EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting
Digital Forensics | Aug 26, 2015
Now that the Enfuse Call for Papers has just gone out, I'm reminded of all the hard work that went into CEIC earlier this year. While there was record attendance, I know not everyone was able to make it to Vegas and so I wanted to re-examine a few EnScripts that were showcased in May; specifically EnScripts designed to save time, manage evidence and help create quick, professional reports. In this three part blog series I'll show you how to access and navigate EnCase App Central, how to join the EnCase Developer Network and I'll walk you through these EnScripts:
- What's New in App Central
- Manfred's Comprehensive Case Template
- Time Zone Prior to Processing
- Quick Report
EnCase App Central is an aggregate for EnScripts, filters, templates and almost any other mod you can think of for use with Guidance Software products. It's designed similarly to your typical e-commerce site, except that 90% of its catalog is free. Populated with over 150 EnScripts, these small executables are designed to work with or within EnCase, adding or automating features and giving users the opportunity to customize their EnCase experience. Most of these EnScripts are written by hands-on users and experts like those of the Guidance Software training team and many experts in our EnCase community. The catalog is also home to several integrations designed by third-party developers like Image Analyzer, Cisco AMP Threat Grid, and Magnet Forensics.
You can find EnCase App Central at the Guidance website (www.guidancesoftware.com) under the 'hamburger' menu button in the top right corner, or by jumping directly to EnCase App Central.
From the EnCase App Central home page you can view all EnScripts, search for a specific EnScript, or apply for the EnCase Developer Network, where you'll be given the tools and support to create and submit your own EnScripts. Acceptance into the program grants you these benefits:
- An EnCase Developer license (Dongle)
- Exclusive access to the v7 SDK
- Access to up to date information on programing EnCase EnScripts
- Receive pre-release builds of EnCase
- Receive code samples
- Receive sample evidence files for testing
- Access to Guidance technical support
- Guidance will QC your work
- Exclusive rights to publish your EnScripts on EnCase App Central
- Worldwide visibility for your EnScript
- Guidance will manage the purchase of your work
- Customer feedback on your EnScript
- Ability to offer your EnScripts for free or for a fee
What's New in App Central
The first EnScript I want to talk about is called, What's New in App Central. It can be run from the home menu and does not require a case to be open. This EnScript checks EnCase App Central to see if any new EnScripts have been recently added. Its simple UI shows the last time you used the EnScript to check EnCase App Central's inventory and all the previous EnScripts available. Clicking 'check' provides you with a list of all the new EnScripts that have been added to the site or updated since your last visit.
It's one of my favorite EnScripts because it's a creative use of the EnScript language and really shows the variety of things you can create with EnScript. It's a quick, easy way to see what new or updated EnScripts are available without having to leave EnCase.
Clicking any of the EnScript titles will take the user directly to their product page where the EnScript can be downloaded.
Manfred's Comprehensive Case Template
Manfred Hatzesberger (@manfred_encase) joined Guidance Software as an instructor in January of 2006, and is the Training Manager at the Pasadena office. Originally from Germany, Manfred conducts numerous courses in Europe in his native language, in addition to our US based facilities. He knows EnCase. He knows investigations and he knows investigators.
When investigating you're going to come across a laundry list of artifacts that require further investigation or provide the evidence needed to close a case. To capture these items within EnCase you'll use bookmarks.
To use bookmarks, select an item or blue-check multiple items then right click. From the menu select 'Bookmark'.
All bookmarked items will be viewed in the bookmark view tab. The folder structure of the bookmark view is determined by the template selected when creating a case. The structure can be added to or edited during your investigation depending on what artifacts you encounter, the structure is also what creates the outline of your final report.
Manfred's case template is populated with 80+ bookmark folders that account for a majority of the artifacts encountered by a digital forensic investigator. This comprehensive folder structure is helpful when organizing evidence during your investigations. Before your investigation even begins, Manfred's template has created a home for anything you'll want to revisit, investigate further or include in your report. My favorite part of the template is how well it translates into a final report, its structure and helpful folders make sure your evidence will already be prepared in an order best suited for presentation.
Once you've downloaded the template from EnCase App Central, you just need to drop it into the template folder wherever your copy of EnCase 7 is installed (Program Files > EnCase> Templates) and it will be available the next time you launch EnCase.
Thanks for reading. Stay tuned for part two of this series where I'll walk you through Jamey Tubb's excellent EnScript, Time Zone Info Prior to Processing. If there is an EnScript category you would like me to cover or maybe a single EnScript you think deserves some more coverage or if you'd like a tutorial for any of the 150+ available EnScripts, please let me know in the comments.
You can also connect with EnCase App Central via their Twitter account (@EnCase_Apps), where you can find links to all the new or updated EnScripts the day they're made available.
If you have any questions regarding the EnScripts discussed in this blog post you can email EnCase App Central directly firstname.lastname@example.org or utilize the EnCase App Central support portal, each EnScript developer has a discussion board dedicated to answering questions or posting more information about their EnScripts.