EnScript Workshop


Published on

Learn how to write Encase Enscripts.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

EnScript Workshop

  1. 1. Advanced EnScript Workshop Jon Stewart Sr. Manager, EnScript Services
  2. 2. Workshop Agenda <ul><li>Language Core Concepts </li></ul><ul><li>Basic APIs </li></ul><ul><li>Execution environment and debugging </li></ul><ul><li>Dialogs </li></ul><ul><li>Handling evidence </li></ul><ul><li>External automation and communication </li></ul><ul><li>Conditions and Reflection </li></ul><ul><li>Multithreading </li></ul>
  3. 3. Language Core Concepts <ul><li>Syntax and Object Model Basics </li></ul><ul><li>Inheritance </li></ul><ul><li>NodeClass! NodeClass! NodeClass! </li></ul><ul><li>Memory Management </li></ul><ul><li>Arrays </li></ul><ul><li>Handlers </li></ul><ul><li>Stewart’s 3 Fundamental Laws of EnScript </li></ul>
  4. 4. Syntax and Object Model <ul><li>C++-ish syntax, object model is more Java </li></ul><ul><li>Fundamental datatypes have stack storage </li></ul><ul><li>Strings are 2-byte Unicode (UCS-16)‏ </li></ul><ul><li>Loops, functions: nothing new </li></ul><ul><li>Arithmetic operators are the same </li></ul><ul><li>Few global variables (biggies are Console, and LocalMachine)‏ </li></ul>
  5. 5. Object Model <ul><li>All code organized into classes </li></ul><ul><li>All class members are inherently public </li></ul><ul><li>Functions can be static </li></ul><ul><li>Objects are heap allocated and manipulated through references => reference semantics, not value semantics </li></ul><ul><li>Objects are constructed, references are assigned </li></ul><ul><ul><li>“ implicit new” syntax </li></ul></ul><ul><li>Members initialized in order of declaration (just like C++) </li></ul>
  6. 6. Inheritance <ul><li>Single inheritance only! </li></ul><ul><li>Not even interface inheritance, like Java </li></ul><ul><li>Functions can be overridden if virtual </li></ul><ul><li>No final – all overrides must be virtual, too </li></ul><ul><li>Call parent class constructor first </li></ul><ul><li>Define interfaces using pure </li></ul><ul><li>Almost all derived classes inherit from… </li></ul>
  7. 7. NodeClass <ul><li>Composite design pattern </li></ul><ul><li>Singly-linked list which can contain linked lists </li></ul><ul><li>Member data: Next, First Child, Last Child </li></ul><ul><li>All lists and trees have a parent/root node </li></ul><ul><li>Add children by passing in parent to constructor, or using Insert()‏ </li></ul><ul><li>foreach() and forall()‏ </li></ul><ul><li>First Fundamental Law of EnScript: Data structures should almost always be composed from NodeClass </li></ul>
  8. 8. Memory Management <ul><li>Most fundamental datatypes are stack allocated and have value semantics </li></ul><ul><ul><li>bool, byte, char, short, ushort, int, uint, long, ulong, double, variant, IPClass, HashClass, DateClass </li></ul></ul><ul><li>Strings are heap allocated, but have value semantics </li></ul><ul><li>All objects are heap allocated and have reference semantics </li></ul><ul><ul><li>Like Java, or like pointers in C++ </li></ul></ul><ul><li>Reference counting is used for memory management </li></ul><ul><li>Beware of cyclic reference problem; use weak to create weak references </li></ul><ul><ul><li>But don’t leave dangling references! </li></ul></ul>
  9. 9. Memory Management and NodeClass <ul><li>Second Fundamental Law of EnScript: All simple objects are ref-counted, but only root NodeClass objects are ref-counted. NodeClass objects in a list or tree are not ref-counted! </li></ul><ul><li>Corollary: If the root dies, children die </li></ul><ul><li>Insert() and Remove() work with reference counting </li></ul><ul><li>Why? Efficiency, legacy </li></ul><ul><li>Real easy to hose yourself (and EnCase) </li></ul>
  10. 10. Memory Management and Destruction <ul><li>Objects are deallocated on the thread holding the last reference, at the time the last reference disappears (block close) </li></ul><ul><ul><li>Predictable; no separate garbage collection thread </li></ul></ul><ul><li>Runtime holds global list of all references. At exit, will run through list of any remaining references and report leaks. </li></ul><ul><li>Destructor is called before deallocation, if defined </li></ul><ul><li>Don’t be stupid in your destructor </li></ul><ul><ul><li>Don’t reassign this to other references </li></ul></ul><ul><li>Almost all crashes in EnScript are caused by hosing yourself with dangling references </li></ul>
  11. 11. Arrays <ul><li>Arrays are a later addition to the language </li></ul><ul><li>Must create typedef first </li></ul><ul><li>Either static-sized or variable-sized </li></ul><ul><li>GetCount(), SetCount(), Add() </li></ul><ul><li>Object arrays store references </li></ul><ul><li>foreach() works, but a little funky </li></ul><ul><li>Arrays themselves are ref-counted; root object references within them are ref-counted as well </li></ul>
  12. 12. Handlers <ul><li>Handler: a class that presents a view of another class </li></ul><ul><li>Most EnCase data objects are exposed to EnScript through handlers </li></ul><ul><li>Third Fundamental Law of EnScript: Most of the EnScript classes are auto-generated by handlers from the EnCase views. WYSIWYG. </li></ul><ul><li>You can create your own handlers for display through dialogs. </li></ul>
  13. 13. Basic APIs <ul><li>CaseClass, EntryClass, BookmarkClass, FileClass, SearchClass, DirectoryClass, ConnectionClass </li></ul><ul><li>CaseClass has different roots. Access is read-only, to avoid threading concerns. </li></ul><ul><li>EntryClass: filesystem metadata </li></ul><ul><li>BookmarkClass: refer to entries </li></ul><ul><li>FileClass: work with streams </li></ul><ul><li>SearchClass: search, hash, file sig </li></ul><ul><li>DirectoryClass: Local OS filesystem access </li></ul><ul><li>ConnectionClass: Perform commands on a system </li></ul>
  14. 14. Execution Environment <ul><li>Scripts execute on a background thread </li></ul><ul><li>Objects you create, whether of API classes or your own classes, are not thread-safe </li></ul><ul><li>Objects provided to you, through CaseClass and GlobalDataClass, are constant , for thread safety purposes </li></ul><ul><li>At script termination, new objects of some classes are incorporated into the rest of EnCase (e.g. bookmarks). </li></ul>
  15. 15. Debugging and EnPacks <ul><li>Beginning with v6.8, EnCase has a source-level debugger. </li></ul><ul><li>To activate, create a new item in the Projects view and choose .EnScript file containing MainClass </li></ul><ul><li>Step through lines and inspect variables similar to Visual Studio </li></ul><ul><li>EnScripts can be statically “compiled” into EnPack files. Contains all source code dependencies in a single, binary file. </li></ul><ul><ul><li>Can be optionally tied to an EnLicense file, which can contain #define symbols, dongle IDs, and expiration timestamps </li></ul></ul><ul><li>Create EnPacks by creating a new item in the Packages view. Right-click and choose Build or Create License. </li></ul>
  16. 16. Dialogs <ul><li>Create your own dialogs by inheriting from DialogClass </li></ul><ul><li>Use widgets as members: CheckBoxClass, IntEditClass, StringEditClass, ListEditClass, TreeEditClass, TreeTableClass, etc. </li></ul><ul><li>Each widget takes a raw memory reference to a variable </li></ul><ul><ul><li>Don’t change the variables out from under the widgets </li></ul></ul><ul><li>Implement virtual functions to receive callback events. </li></ul><ul><li>Callbacks occur on special display thread, and all manipulation of the widgets should be done through this thread </li></ul>
  17. 17. Handling Evidence <ul><li>CaseClass::AddEvidenceFile() to open up an evidence file, either .E01 or .L01 </li></ul><ul><li>EvidenceFileClass can be used to make acquisitions </li></ul><ul><li>LogicalEvidenceFileClass is very versatile and can be used for creating derivative evidence containers, as well as almost any other kind of persistent storage. </li></ul><ul><li>Evidence cannot be added to open cases in EnCase, but new cases created in the script can be pulled through to EnCase after script termination. </li></ul>
  18. 18. External Automation and Execution <ul><li>Simplest (best): ExecuteClass. Launch command-line applications. </li></ul><ul><li>Otherwise: COM host. Import COM type libraries into EnScript engine, create objects, manipulate them. </li></ul><ul><ul><li>Can typically only pass simple, variant-compatible datatypes </li></ul></ul><ul><ul><li>COM events (i.e. callbacks) are not supported </li></ul></ul><ul><ul><li>Cannot inherit from COM interface classes </li></ul></ul><ul><ul><li>Can use ADO for talking to databases through recordsets </li></ul></ul><ul><ul><li>Avoid if possible; use something more loosely coupled. </li></ul></ul><ul><li>SocketClass: Synchronous I/O to/from sockets </li></ul><ul><li>WebClientClass: GET/PUT/POST/DELETE to a web server. Great for interacting with web services. </li></ul>
  19. 19. Conditions and Reflection <ul><li>EnScript can eat its own tail </li></ul><ul><li>First step: Conditions. </li></ul><ul><ul><li>Just a GUI for auto-generating code. </li></ul></ul><ul><li>To execute, you need ProgramClass </li></ul><ul><ul><li>Can execute as a Filter or as a normal script </li></ul></ul><ul><li>Conditions and ProgramClass objects require a SymbolClass object </li></ul><ul><li>SymbolClass objects represent EnScript classes, PropertyClass objects represent class properties </li></ul><ul><ul><li>Reflection is the most powerful feature in EnScript </li></ul></ul><ul><ul><li>Must use NodeClass to play with reflection </li></ul></ul>
  20. 20. Multithreading <ul><li>To create your own threads, inherit from ThreadClass and override Run() virtual function. </li></ul><ul><li>Use the synchronized keyword to define critical sections. Global mutex across all threads. </li></ul><ul><li>For finer-grained synchronization, can use SemaphoreClass… just as much of a pain as you can imagine. </li></ul><ul><li>Prefer coarse-grained synchronization as much as possible. Multithreading can make a huge difference in the right situations, but use judiciously. </li></ul><ul><li>Like any other language, don’t share objects between threads. </li></ul>