Any quicker way of going over thousands of search hits?

Depends what you are using. EnCase for example search, filter, sort, select and search some more. Get to know your conditions and filters.

Sure, use something like NSRL hashsets and search only on files that dont match these, use grep to cut out some of the noisy hits.

Have you looked at "predictive searching"?

Your search terms are too generic - maybe.

Consider indexing (using dtsearch or some other tool) as a way to make more complex queries.

Sort of along the lines of what Doug mentioned above - consider what types of files you would anticipate finding your results in. In this case, you can sort by the file type - for starters - and review the most likely files first.

Also, depending on your case, maybe you can eliminate known file types from your search…?

Yup to hit upon the other posts.
1. de-NIST - go to the NSRL site http//www.nsrl.nist.gov/ get your sets there. You have to load them into your drug of choice and also probably rename them as "known" or however you want to filter (even check YouTube http//www.youtube.com/watch?v=lRdH7hZfec8 - lots of bad/ok/good tool walkthroughs) You can remove a lot of needless files that result in false positives as well as slow your searches

2. Keyword choices - get to know GREP - can really help narrow multiple hits of similar keywords

3. Filtering - Try to create a list if know extensions and signatures for usual suspects - http//www.garykessler.net/library/file_sigs.html

4. Unallocated space - This can be an area of a lot of hits that might not lead anywhere. Try searching just the active files first and then going in to unallocated if you think there can be something there.

Think of searching in the cliched "needle in the haystack." Separate the piles of hay in to groups and then search the smaller piles. Accept the fact though that you will find many needles that look a like and that is where you need your brain not the computer to tag hits 😉

A second vote for using NSRL and only searching the file slack of these files.

Also making better use of GREP and not searching for things that you expect to cause a huge amount of hits such as searching for the string "BT" etc.

Just another tidbit I will share and want to point out my own stupidity to hope that others can benefit from (or point and laugh).

I find it is helpful to make a list and/or copy and paste into my search program terms (EnCase main platform). So the other day I am starting to make my list. Right off the bat I want to look for "Doc?docid=" as plain 'ol ANSI - copy from one area into EnCase keyword creation for string and name. Red X and something about not allowing question mark (or some other characters), close error try again. Same thing. What the..? Already later in the day; frustration builds. Why cant EnCase take ? in a search term?!? Do I have to GREP it as a literal expression? Never before but what the hell - nope same error. Now I am cursing at monitor trying other char sets. Error. Error. Error. Is it EnCase all of a sudden? Must be! Walk away for the day on that and return next day.

Next day. OK, I can figure this out. Start fresh and copy my Doc?docid= into phrase and name fields get the error. But this time I READ the error No question marks in the NAME field for keywords in EnCase - DUH! Take out the ? in the name, term saves, run search.

Moral of the story it is easy to take keywording for granted sometimes - copy, paste, search. We test, validate and look at all angles other areas of our cases but it is often easy to rush building out our searches and look at it as just a mechanical function to throw it at the wall and see what sticks. With the amount of data we are faced with in many cases it is a good practice to really stop, slow down and take a little extra time to build keywords with the care and attention it deserves as we do in other areas of our investigations.