Does FTK index sear...
 
Notifications
Clear all

Does FTK index search support regular expressions?

6 Posts
4 Users
0 Likes
1,941 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Some of my friends ask me a question "Does FTK index search support regular expression?" They just participated in FTK Bootcamp last month, and they're trying to spend more time with FTK now.

The answer is "Yes". FTK index search supports regular expression, but not RegEx++. Actually its name is TR1(Technical Report1) regular expression. Let me show you how to use TR1 in dtSearch. Remember to start the expression with "##". You guys could take a look at my blog to see how to do it
http//www.cnblogs.com/pieces0310/p/4771465.html

They say no one mention about regular expression in dtSearch during fTK Bootcamp. I believe in them~ Now they know how to do index search with regular expression in FTK.

 
Posted : 30/08/2015 4:49 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

I would be less concerned with RegEx support and more concerned with FTK not even indexing things properly to begin with

 
Posted : 01/09/2015 7:07 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

They say no one mention about regular expression in dtSearch during fTK Bootcamp.

Sure , the good Access Data guys keep related info hidden from view (of digital investigators roll ) in a document called
"dtSearch Frequently Asked Questions" 😯
https://support.accessdata.com/hc/en-us/article_attachments/201394155/dtSearch_Frequently_Asked_Questions.pdf

Indexed on a page on their site under
AccessData Help Center
> Knowledge Base
> White Papers
> dtSearch Documentation
https://support.accessdata.com/hc/en-us/articles/203151689-dtSearch-Documentation

Besides providing on the same page links to
http//support.dtsearch.com/webhelp/dtsearch/regular_.htm
https://msdn.microsoft.com/en-us/library/bb982727.aspx

Most probably your friends did not ask any question or they were RAQ's (Rarely Asked Questions).

jaclaz

 
Posted : 01/09/2015 11:42 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

I can't agree more with you~ They should try to ask questions and find answers. But they just finished FTK Bootcamp, you can't expect them too much, they are only immatures.

But that's not the point. The point is FTK Bootcamp should make some imporvement on materials. For example, FTK Imager is a very useful tool but too easy, so they could add more advanced materials to make it better. If there is no sufficient time in FTK Bootcamp, one more day is ok I think.

By the way, the font size of FTK Bootcamp materials is too small.

 
Posted : 02/09/2015 7:12 am
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

I would be less concerned with RegEx support and more concerned with FTK not even indexing things properly to begin with

Eric

What is FTK not indexing properly? Is this an issue with dtSearch or with AD implementation of it?

I haven't used it in a long time but I do remember that we found an issue where it was not indexing html documents fully.

H

 
Posted : 04/09/2015 2:23 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

theres been a lot of discussion about FTK missing things when indexing and because of the way they have integrated dtsearch, you cannot even manually tweak dt to find things.

most of the discussion i have seen has been on the IACIS listserv.

things like missing words or not finding text inside more complex files for the most part.

in a recent Forensic lunch the main FTK evangelist pretty much said "if you want to be sure to find everything, index and do live searching"

 
Posted : 11/09/2015 12:00 am
Share: