Filtering based on ...
 
Notifications
Clear all

Filtering based on Time in FTK

4 Posts
2 Users
0 Likes
960 Views
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
Topic starter
 

So, we have performed searches filtering dates but now I have a case that involves tracking a user based on work hours. I would think this is something simple but I have been unable to come up with a method to perform this search. My source evidence is email. I need to search for email exchanged during certain hours and I fear I am just over-complicating things. Do I need a regular expression?

 
Posted : 04/06/2018 6:05 pm
(@mcman)
Posts: 189
Estimable Member
 

Generally that's not very easy to do, timestamps are stored with the date/time together, your tool would have to split and store them separately to build out a schedule like business hours/off hours, etc.

Most tools can give you a time range but schedule isn't always possible, I'm not sure if you can do it with FTK or not. We had to store them separately to do that in AXIOM which makes the filter super easy, just takes a bit more work to process. Some E-Discovery tools will do it but not many forensics tools.

Jamie
Magnet Forensics

 
Posted : 04/06/2018 6:25 pm
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
Topic starter
 

Oh, Axiom can do it? I have Axiom as well.

 
Posted : 04/06/2018 6:30 pm
(@mcman)
Posts: 189
Estimable Member
 

Ok cool, give it a try. I actually just made a video on that exact thing last week
https://www.youtube.com/watch?v=v5ueVdcQqJw

FTK may be able to do it, I'm not familiar enough with their filtering options but if you have AXIOM too and it gets you what you need, great. Feel free to reach out if you have any questions.

Jamie

 
Posted : 04/06/2018 6:36 pm
Share: