Hello all,
I was wondering if anyone knows how to exclude certain evidence from an Index search in FTK. I'm presently producing e-mails matching certain keywords for council, and would like to exclude the mailbox of a given user when I'm searching on their name. The exchange mailboxes were all added as PST files in groups depending on which LTO tape they were extracted from.
Any ideas would be most appreciated!
Thanks!
Can you mark the file(s) as IGNORE and then perform everything else you do on FTK using all files except the ignored ones?
Hope this helps.
Art
Can you mark the file(s) as IGNORE and then perform everything else you do on FTK using all files except the ignored ones?
Hope this helps.
Art
Well it seems that ignoring those files (PSTs) in question, doesn't change the indexed search results. Good thought though!
Did you filter your search results to exclude ignored items? If not, then they won't be excluded.
Another option to get what you want is to checkmark what you want searched, then bookmark those items. Run your search and filter for bookmarked items only.
Did you filter your search results to exclude ignored items? If not, then they won't be excluded.
Another option to get what you want is to checkmark what you want searched, then bookmark those items. Run your search and filter for bookmarked items only.
I would love to filter to exclude ignored items, but can't find that option anywhere! Any help in locating it would be great.
Thanks!
Figured it out, with some help from the forum! It seems you can't just ignore the PST file, or even a lower-level object within the PST file (i.e. inbox). You actually have to ignore the messages in the PST. Once ignored, create a new file filter, set for never show ignored files. Then when running the search, a dialog box comes up just after clicking "View cumulative results" in which you can apply the file filter created previously.
Hope this saves someone else some time in the future.
Thanks!
Greetings,
You should be able to ignore an entire file. I had to do this when FTK crashed while processing one file on an image. There is an Access Data technical document available somewhere. (It was emailed to me.) Here's what it contains
FTK Crashes or Hangs on Certain Files
If FTK crashes or hangs on a file you can either exclude the file by refining the
evidence or by reindexing the case while ignoring the problem file that FTK is
crashing or hanging on.
Please note that you will need to reprocess the case when FTK crashes or hangs on a
particular file.
Follow the steps below to exclude the file from the case by selecting the Refine
Evidence – Advanced option.
1. From the Add Evidence to Case screen click on Add Evidence and choose
the item that you want to add to the case.
2. Click on the Refine Evidence - Advanced button and select the Refine
Evidence by File Path tab.
3. Browse to the directory the problem file resides in.
4. Uncheck the directory so that the problem file will be excluded from the case.
Follow the steps below to ignore the file from the case by creating a KFF Ignorable
hash file.
1. Create a file named hash.csv with the following two lines
MD5
16C3A5060A5D7D2FD6C1D647B40442DC
The MD5 can be taken from your case log. If you can’t get it from your case
log, you can use FTK imager to browse to the problem file, right-click it and
choose to write the hash to a file called hash.csv.
2. In FTK, select Tools, then Import KFF Hashes.
3. Select the hash.csv file you generated.
4. Enter a hash set name, such as "FTK Workaround." Make sure the radio
button reads "Ignorable."
5. Click on OK.
Make sure Extract Files from KFF Ignorable Containers is unchecked on the
Refine Case-Default screen when you reprocess the case.
-David