just a quick question here. i want to use enscript to create a key word and have q quick question. the code uses Add.keyword method trying to a search string for $I records in the recycle bin. my code line is below
Search.AddKeyword("\x24\x00\x49",KeywordClassGREP)
The statement returns TRUE but does that mean the keyword is actually added to the case and thus viewable via the keyword tab in encase? it is not showing now andi don't know if it should. Should a keyword added via enscript show within encase?
Thanks in advance,
Todd julius
Champlain College
Leahy Center for digital investigation
Todd,
It's a while since I last wrote an EnScript but as far as I can recall…
The ability for EnScripts to interact with the main EnCase interface is restricted, it can be done but it is really hard if not impossible.
Essentially you can't populate the global or local keywords from an EnScript, at least not in version 6. What you can do (and from your posting it seems that you have done,) is create a SearchClass object to which you can add KeywordClass objects. Instantiating and running the SearchClass object will search the EntryClass objects for the terms in the KeywordClass objects. Results can be bookmarked (using BookmarkClass) which is just about the only interaction you can have with the EnCase interface other than the console output or outputting to a file.
Once your script has run it's course, even if you don't do it explicitly, the instantiated SearchClass objects (and thereby any contained KeywordClass objects) are garbage collected and killed.
Paul
Hi Todd,
Paul is correct. SearchClassAddKeyword() is for performing a search within the context of an EnScript, and will not affect either the case or global keywords in the user interface.
You can modify the global keywords, however, via an entirely different mechanism. Here's how
class MainClass {
void Main() {
// make a copy of the existing global keywords
KeywordClass newKeywords(),
oldKeywords = GlobalDataClassKeywordRoot();
newKeywords.Copy(oldKeywords);
// add a new keyword to them
KeywordClass newKey(newKeywords, "My New Keyword");
newKey.SetExpression("bad guy");
// tell EnCase to use our copy
GlobalDataClassSetRoot(newKeywords);
}
}
Interestingly, this does trigger a crash bug in EnCase if you switch from the EnScript code view to the table view to check that this worked. I was able to workaround this by clicking into the Case/Entries view first, then switching back to the keywords view.
<Shameless plug>
If you want your keyword searches to be fast, you should check out my new product,
</Shameless plug>
cheers,
Jon
Toddjulius,
moreover, if you want your code to give correct search hits, you should escape \ character in the keyword definition
Search.AddKeyword("\\x24\\x00\\x49",KeywordClassGREP)
otherwise EnCase may give you some false positive hits under certain conditions (tested on v6.19.4).
Thank you,
Greg