EnCase keyword sear...
 
Notifications
Clear all

EnCase keyword search help

10 Posts
7 Users
0 Reactions
5,086 Views
ucfknight197
(@ucfknight197)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Hi everyone,

I'm working on an investigation using EnCase. I've never used EnCase before so I'm having to learn how to do things as I go. I need some help running the search terms.

First, how do you search for terms within a certain number of words of each other? (i.e. - X within 4 words of Y)

And second, how do you apply logical operators? I found that AND/OR conditions can be applied, but that only works for the file attributes. How do I apply it to the actual file contents?

I appreciate any help. Thanks!


   
Quote
(@mkel2000)
Eminent Member
Joined: 17 years ago
Posts: 24
 

First, how do you search for terms within a certain number of words of each other? (i.e. - X within 4 words of Y)

What you are describing is accomplished through indexing and not keyword searching. You would first need to index the case (time consuming) or the files you want to search (much less time.) Then you can use the Index conditions to conduct your searches of the indexed files.

And second, how do you apply logical operators? I found that AND/OR conditions can be applied, but that only works for the file attributes. How do I apply it to the actual file contents?

You can use Conditions that incorporate AND/OR (by either building a specific condition or using multiple conditions and toggling them) to filter files based on their attributes, but to the best of my knowledge this functionality doesn't exist in conducting searches of file content.

I would suggest visiting the Encase Message boards for help with specific Encase features. I would also suggest picking up a copy of Steve Bunting's book, EnCE, The Official EnCase Certified Examiner Study Guide. It will give you help on the basics of Encase.

Mark


   
ReplyQuote
ucfknight197
(@ucfknight197)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Thanks! I'll give it a shot.


   
ReplyQuote
Fab4
 Fab4
(@fab4)
Estimable Member
Joined: 18 years ago
Posts: 173
 

First, how do you search for terms within a certain number of words of each other? (i.e. - X within 4 words of Y)

A possible workaround based on how many characters (rather than words) occur between your two search terms;

GREP expression

apple.{x,y}orange

where apple and orange are your search terms, the period denotes any character, x denotes the minimum characters to occur between your search terms and y denotes the maximum number of characters to occur between your search terms.

May get some false positives and I would recommend using the Keyword Tester functionality within the EnCase\New Keyword dialogue box first to test. Ensure that when you layout your test data, you leave more than the maximum number of characters specified as y between each instance of test data, otherwise it will report false positives and things will get confusing!

Not perfect but should be good enough.


   
ReplyQuote
ForensicRanger
(@forensicranger)
Estimable Member
Joined: 16 years ago
Posts: 122
 

..also bear in mind that the larger the drive, the longer the search will take. GREP searches, in particular, are extremely time consuming - so start the search before you leave for the day and let it run overnight -)


   
ReplyQuote
ucfknight197
(@ucfknight197)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Thanks for the tips!


   
ReplyQuote
(@eng-fsd)
New Member
Joined: 15 years ago
Posts: 3
 

Hi everyone

I want to know how can I search for multiple keywords using Encase. For example (I want to search for a website,e-mail and image).
I know how to search for them using the keywords but I need them Consecutive as agroup not Individual.

I hope someone will understand what I'm trying to say oops (


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

I actually started to type the following but a YouTube video is worth a thousand words…..

http//www.youtube.com/watch?v=kK6Wd7HVyVM

Yes Google is your friend. However, I am surprised more people don't search through YouTube for EnCase, FTK, Helix, etc videos. There are are a bunch that you can just spend a day learning with. Play the video on one machine/monitor and practice on another. If you need practice files, Google that. There are plenty of well know places to get practice forensic disk and RAM images.


   
ReplyQuote
(@eng-fsd)
New Member
Joined: 15 years ago
Posts: 3
 

Thank you.

It's really useful.


   
ReplyQuote
kimberlyrothi
(@kimberlyrothi)
Active Member
Joined: 17 years ago
Posts: 7
 

Another option is to divide your keyword searching into groups. Have Keyword List 1 be your most important keyword list and Keyword List 2 as your secondary list that also need to be present within any files responsive to Keyword List 1. After the search for Keyword List 1 finishes, go to the Search Hits and select valid hits or all if desired (NOTE You should review to make sure there are not a lot of ambiguous hits.) After you selected what you want, right-click and select Tag Selected Files. Go back to Keyword List 2 and in the Search Options make sure that you chose Only Selected Files and Selected Keywords Only for your secondary search and make sure you had nothing selected before doing all of this of course. I worked for Guidance for 5 years and my best advise to you is to read the EnCase User manual as it will really, really help you in addition to everyone else's suggestions. Good luck! D


   
ReplyQuote
Share: