Searching the Search Hits =)
There's gotta be way to do this but i have failed to locate an efficient way in my initial research. So EnCase by default can flag all URL strings with a compound GREP search expression. That sometimes yields hundreds of thousands of url strings. But I want to re-search those hits gathered in the URL string query but only for a few keywords. Whats the best way to do this? I've tried exporting the search hits for the URL strings, uniq'ing it (unix util that removes duplicate lines), and then using a for() loop to run through the file of search hits grep'ing for my keywords but that didn't work because when i exported it there was control characters or misc line breaks in the text so the grep's failed 🙁
Should I try a compound (very very long) GREP search expression to include a few keywords via OR like (keyword1)|(keyword2)|(etc). I'm still working on being crafty with the regex searches but I thought maybe someone that was thinking clearly could hint me at another option 🙂
Thanks in advance, any feedback appreciated 🙂
What exactly is it that you are trying to achive?
By using GREP or keywords across the whole image, or even just in the unallocated will result in countless hits that are completely irrelevant. Web pages that once existed in the TIF that now reside as artefacts in unallcated may contain many urls engrained in the page (links, adverts, hidden popups, etc) that don't actually prove any mens rea (guilty knowledge).
EnCase versions 3 and 4 do not have a hit search facility. You are stuck with the hits, short of exporting out the results as a .doc or .xls file which you have already done.
You can actually make a search for the search hits by making your own filter, and using queries to work upon the 'columns', but quite how you would do this is non-trivial.
There is a HTML carver script that allows you to use keywords to refine the url hits.
I use Net Analysis (www.digital-detective.co.uk) to examine Internet History.
Ah, HTML Carver looks like what I was looking for. Thanks for the response Andy, appreciate it.
You could export all the rows from EnCase and then read them into a MySQL table.
Then you can use SQL to search.
I do this sometimes, for example if I want to count unique pictures I export the md5 into a table. Then create another identical table but include unique. Then use insert ignore to count duplicates