sdckey / enscript-samples Goto Github PK

Hello,

I am reading a suggested reading you posted called "DFIR445 EnScript Fundamentals". I must admit I find this document very helpful so far! I am a little confused on pages 3-36 to 3-37 going over Functions in EnScript. I noticed in the image below it lays out the function and what it will accomplish. I understand what each line is accomplishing

When I go to the next page it says the function is complete and that we can pretty much ignore it now unless you need to edit it.

but I no longer see the code for it? I see the function being called on line 23 but how does this script know what the function is suppose to do if the code is no longer visible? I understand that ValidateMFTRecordSizes() is the new function that was created but how does the script know what that function does if the code is removed? Is it added or stored somewhere else that I just can't see?

Thanks!

DFIR445-EnScript Fundamentals Version 8-01pi (03-01-2019).pdf

Is there any way that you could release the source code to the EnScript 'Windows Drive Letter Assignments' https://support.guidancesoftware.com/forum/downloads.php?do=file&id=1338 ?

I have built a 'startup script' that - among other things - does the same. -but I simply cannot get it to catch if there are 2 drive letters on a GUID partitioned harddisk.

Regards,

Hello,

I hope this message finds you well! Is there a way for an Enscript to navigate through the GUI and bring up different views automatically in EnCase? For example, if I am within the home screen of my case in EnCase. I run the enscript by clicking on the drop down menu option at the top. I see the Enscript running in the bottom right hand corner.... But I have to manually click on "Evidence" under "Browse" ... Then I need to manually click on the "Console" tab to change from the "Fields" tab to console window.

I worked with SystemClass::ClearConsole(System Class::SHOWCONSOLE) before... But I don't want to clear the console... I just want it to automatically show it outside running the Enscript in the built in editor view

I was looking at the EvidenceClass and EvidenceOpenClass but nothing stood out. Do you know if there is a class in EnCase that controls the GUI?

Appreciate any advice or suggestions you may have to point me in the right direction!

Thank you!

Hi Simon, I'm being work in some customs to my EnScript and after some tests and researches I would like your help just to understand if what I am wondering to do is possible or not.
Is there a way to get the content related to a processed evidence? For example, I processed an evidence with a particular options selected (for example index, system info parser and etc) and I would like to check which evidences were processed using this custom label and the status of the processing (completed / failed) - these information are in the "Status" and "Option" fields in the Processor Manager tab.
The other questions is related to the ITEMCLASS class. I'm trying to export the Categories from an evidence to a text file, but if I only use the method entryclass.category() it will return the category number and not the value (as it has a Category type). I tried to declare a "support" variable ITEMCLASS:Category in order to help me to get the Category name, but I am probably missing something easy here.
I will appreciate if you could help me to undertand where I am doing something wrong.
Regards,

When i use the hash list importer (3.01) to bring the NIST NSRL hash set into Endpoint Investigator, and then attempt to apply resulting product into encase, the hash set is empty (the bin files do have a size) there are no entries. I've attempted this several times.
Endpoint Investigator 21.3
respectfully


,
David

Hello,

Would you be able to recommend a book that goes over the EnScript language (besides the two documentations that guidance software provides)?

Would you be able to provide any professional advice as far as the EnScript help page/Class browser? I find it confusing and a little daunting to understand at first initial glance.

Thank you!

Hi Simon, firstly, thank you so much for taking the time to write these examples and share them!

I'm trying to work with results sets and can create and populate them using code based on your example. I also want the same script to be able to export the result set contents to a LEF, but the first time I run the script, nothing gets exported once the Results Sets are created and populated. If I immediately re-run the script (i.e. the results sets already exist) then the export completes successfully. I'm thinking this is an issue with the result set not updating quickly enough, or the script needing to refresh it, but if you could shed some light on this or provide a working example that would be very much appreciated.

Many thanks,
Alex

Could you provide a simple of example of using threads to iterate over a list of entries, either by using SemaphoreClass or MutexClass to manage deployment across the threads?

Hi Simon,
I am currently trying to automate some fixed aspect of the tool which includes case creation and processing using EPManagerClass.

The issue is when I complete case creation part, it starts verifying the evidence which I do not require and need to stop this.
I am using below code to achieve the same:
ev.SetOpenMode(OPENEVIDENCEFILE);
ev.AddToCase(c, evopen);

and after this I write the case file which is completed but my next part which is processing on my specific enproc is not getting started.

Do let me know if there is any other way to achieve the same.
Also, I have applied for developer about a week ago, still haven't got the access or any update regarding the same. Please help me get the documentation for enscript writing.

Do let me know if any other details required.

Hi Simon,
Thanks for sharing all of these scripts, it is being very usefull for undertanding the enscript programming structure.
Is there a way to include a builtIn image to an enscript? I tried different options, using the DialogClass with the ImageWindowsClass, but with no luck.
I appreciate if you could help
Regards,

Hello,

I hope this message finds you well! I was trying to use the parse method from the NameListClass, and I was wondering if you could provide some insight if you have time.

I tried using Extension.Parse("Lx01,L01", ","); and it compiled fine but would not recognize the image files. When I reversed it, Extension.Parse("L01,Lx01", ","); it recognized my image files and loaded then into my encase. Do you know why reversing the order makes a difference?

Any advice would be appreciated!

Thank you!

Hello,

I am new to enscript and was wondering if you could provide some guidance on how to make a script that will look for a specific message ids of multiple emails from a pst loaded in encase? If you can provide any examples or point me in the right direction that be really appreciated!

Hi Simon! I’m using the ItemIteratorClass in order to navigate for each entry to look for a specific filename (that I know the name). The goal is that I’m trying to export the whole folder (where this file is located), but for that I had to create a new variable to iterate the evidence again (as I didn’t find a way to “iterate back” for the main folder when I found the file. Is there a better way to do that? Do you have some example with this similar situação (iterate back)? Kind regards!!

Hi Simon,

Thank you for sharing your enscript examples.

I would like to ask two questions.

1. Is it possible to select or tag an entries in current view with enscript?
2. I try to export name of entries into a csv file with the code below, but when my enscript encounters some Chinese characters, the string is output to some unreadable text, is there any class that can help to format the string to readable format before output to the csv file?

logfile.WriteLine(Mastercounter + "," + entry.Name());

Many thanks,
Kenny

Add a script example showing how to select items in a list.