Solved

Encase Forensic 6.xx Boolean "AND" Keyword Search

Posted on 2011-09-23
6
1,313 Views
Last Modified: 2012-05-12
I am using EnCase Forensic 6.18 to keyword search data from a desktop computer. My keyword list has 4 basic terms and are all similar to:

(Term1 OR Term2) AND (Term3 OR Term4 OR Term5 OR Term6)

I have broken down these terms to the point where I first search for Term1 and Term2, and then in a second and third round of searches, apply Terms3-6 to the results of either Term1 or Term2.

However, I would like to not spend my day babysitting the machine. Is there a way to get the same results in a single search or action using EnCase 6.xx? Complex Grep statement or nested keyword list? Anything?
0
Comment
Question by:ajholk
  • 3
  • 2
6 Comments
 

Author Comment

by:ajholk
ID: 36591133
To clarify, I can run Term3-6 in a single subsearch against the same statement's Term1 and Term2. However, each attaditional statement needs an additional seperate subsearch. So if I have 4  statements in my keyword list, I would need to run 5 searches, one to isolate the primary terms and then 4 subsearches.

I'm trying to find a way to do it all at once.
0
 
LVL 5

Accepted Solution

by:
ChopOMatic earned 75 total points
ID: 36591303
Since you're using EnCase, you can always run the separate searches, then craft a condition to merge them. Will that work, or must it be run in a single search?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 50 total points
ID: 36591393
I am thinking to optimise the keyword, we may want to see if there are familiar contextual information on them e.g. they are numbers? ip address? words or sentences? etc. This file share some useful grep expression for some common forensic categories.

http://homepage.mac.com/adonismac/Textware/forensic/forensic_Grep_Expressions.pdf

Running multiple search separately is also another means like ChopOMatic has advised. I am thinking if we can drill down the search space to suspicious place for high level first cut to see if can hit jackpot but eventually for completeness we will have to do the lengthy process. Going for highly dense or commonly used storage location and kickstart the search

http://windirstat.info/
http://www.uderzo.it/main_products/space_sniffer/index.html

ideally, we can simplify the search by breaking the "big" search string. But I am not grep expert

(Term1 OR Term2) AND (Term3 OR Term4 OR Term5 OR Term6)
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Closing Comment

by:ajholk
ID: 36591514
Running seperate searches and then crafting a condition to merge them will certainly. However, as far as timing goes, it's about the same as what I am doing now with primary and sub-searches.

Since in my case the search terms are words (alphabet-only) and I need to be able to isolate files and contain both words regardless of distance between then or order of appearance, grep has limited ability in this area.

However, I'll continue to work with both ideas and see if I can find the best of both worlds.

Thanks.
0
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 36592835
Are you searching only active files, or must you include slack space, unallocated, etc.?

If only active files, you could download dtSearch. Index the files you want to search, then search to your heart's content. Instant results. Easy boolean, etc.
0
 

Author Comment

by:ajholk
ID: 36594231
I hadn't considered DtSearch, but it is certainly an option. I'll have to get some metrics on how long it would take to index 1.5 TB of dekstop data to see if the option is in play.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I prove I never opened an email 9 69
Proof of delivery 5 1,064
RSA Envision geolocation database 3 563
I need an expert witness in the Dallas area 4 143
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question