EnCase EnScript Resources for Learning

Caveat: A lot of the resources mentioned below are quite old, as a result, Your Mileage May Vary.

I’m starting to take a deep dive into EnScript in EnCase, and I was lamenting the lack of freely available resources, but lo and behold Today I struck gold and found a few resources that had escaped my attention before now, so I thought I’d do a quick post collating what I found.

First and foremost is an EnScript research paper-turned tutorial that I was surprised to see was freely available. If it goes away at any stage you should be able to get a copy on the Way Back Machine. (Just found this copy by chance too, from a site that seems to have some permanence: https://problemykryminalistyki.pl/pliki/dokumenty//olberuseofencase.pdf.)

The paper had a number of references to other resources which I’ll list below:

Outside of that I found a few other resources, here are two tutorial documents:

Then of course you have Simon Key’s Github page which hosts a few EnScript samples. Simon Key is a “Sr. Principal Courseware Developer at OpenText” according to his LinkedIn page, so you should be able to learn from his samples how an EnScript should be.

Just as an example of a discussion thread here is one that can be found over on the Forensic Focus forums, so if you run into difficulties you may even be able to get some help.

There’s a YouTube video from Guidance Software discussing the utility of EnScript plug-ins during an investigation.

Finally, I’ll also be leaning on the EnScript chapter from this O’Reilly book https://www.oreilly.com/library/view/computer-forensics-and/9780071807913/.

That should be enough to get me off the ground, if I find any more I’ll add them here. If you have any suggestions for resources, feel free to let me know.

Regenerate Message Typed as captured in a USB Keyboard Packet Capture


I was recently presented with a packet capture file to perform some forensics on it as a challenge and see if I could find the hidden message. Naturally, it being a packet capture I fired up Wireshark only to be faced with a very bland single colour screen, quite different from the usual network captures most would be used to when using Wireshark (see Figure 1 below). There was none of the usual indication of different protocols broken down by colour. This was going to be a different type of challenge, and one I was going to learn a lot from, I knew I would enjoy it, and I sure did!

Figure 1: Bland, colour-free Wireshark window
Continue reading “Regenerate Message Typed as captured in a USB Keyboard Packet Capture”

Business Email Compromise and Email Header Analysis


I have recently had cause to dive into Business Email Compromise (CEO Fraud, Supplier Fraud, email redirect etc.). This then leads to email header analysis as that is your first step in trying to identify the author of the fraudulent emails. So having done the research it would be a shame to let it go to waste. Let’s go!

Continue reading “Business Email Compromise and Email Header Analysis”