Hi everyone,
I'm working on an investigation using EnCase. I've never used EnCase before so I'm having to learn how to do things as I go. I need some help running the search terms.
First, how do you search for terms within a certain number of words of each other? (i.e. - X within 4 words of Y)
And second, how do you apply logical operators? I found that AND/OR conditions can be applied, but that only works for the file attributes. How do I apply it to the actual file contents?
I appreciate any help. Thanks!
First, how do you search for terms within a certain number of words of each other? (i.e. - X within 4 words of Y)
What you are describing is accomplished through indexing and not keyword searching. You would first need to index the case (time consuming) or the files you want to search (much less time.) Then you can use the Index conditions to conduct your searches of the indexed files.
And second, how do you apply logical operators? I found that AND/OR conditions can be applied, but that only works for the file attributes. How do I apply it to the actual file contents?
You can use Conditions that incorporate AND/OR (by either building a specific condition or using multiple conditions and toggling them) to filter files based on their attributes, but to the best of my knowledge this functionality doesn't exist in conducting searches of file content.
I would suggest visiting the Encase Message boards for help with specific Encase features. I would also suggest picking up a copy of Steve Bunting's book, EnCE, The Official EnCase Certified Examiner Study Guide. It will give you help on the basics of Encase.
Mark
Thanks! I'll give it a shot.
First, how do you search for terms within a certain number of words of each other? (i.e. - X within 4 words of Y)
A possible workaround based on how many characters (rather than words) occur between your two search terms;
GREP expression
apple.{x,y}orange
where apple and orange are your search terms, the period denotes any character, x denotes the minimum characters to occur between your search terms and y denotes the maximum number of characters to occur between your search terms.
May get some false positives and I would recommend using the Keyword Tester functionality within the EnCase\New Keyword dialogue box first to test. Ensure that when you layout your test data, you leave more than the maximum number of characters specified as y between each instance of test data, otherwise it will report false positives and things will get confusing!
Not perfect but should be good enough.
..also bear in mind that the larger the drive, the longer the search will take. GREP searches, in particular, are extremely time consuming - so start the search before you leave for the day and let it run overnight -)
Thanks for the tips!
Hi everyone
I want to know how can I search for multiple keywords using Encase. For example (I want to search for a website,e-mail and image).
I know how to search for them using the keywords but I need them Consecutive as agroup not Individual.
I hope someone will understand what I'm trying to say oops (
I actually started to type the following but a YouTube video is worth a thousand words…..
Yes Google is your friend. However, I am surprised more people don't search through YouTube for EnCase, FTK, Helix, etc videos. There are are a bunch that you can just spend a day learning with. Play the video on one machine/monitor and practice on another. If you need practice files, Google that. There are plenty of well know places to get practice forensic disk and RAM images.
Thank you.
It's really useful.
Another option is to divide your keyword searching into groups. Have Keyword List 1 be your most important keyword list and Keyword List 2 as your secondary list that also need to be present within any files responsive to Keyword List 1. After the search for Keyword List 1 finishes, go to the Search Hits and select valid hits or all if desired (NOTE You should review to make sure there are not a lot of ambiguous hits.) After you selected what you want, right-click and select Tag Selected Files. Go back to Keyword List 2 and in the Search Options make sure that you chose Only Selected Files and Selected Keywords Only for your secondary search and make sure you had nothing selected before doing all of this of course. I worked for Guidance for 5 years and my best advise to you is to read the EnCase User manual as it will really, really help you in addition to everyone else's suggestions. Good luck! D