Filtering based on Time in FTK
So, we have performed searches filtering dates but now I have a case that involves tracking a user based on work hours. I would think this is something simple but I have been unable to come up with a method to perform this search. My source evidence is email. I need to search for email exchanged during certain hours and I fear I am just over-complicating things. Do I need a regular expression?
Generally that's not very easy to do, timestamps are stored with the date/time together, your tool would have to split and store them separately to build out a schedule like business hours/off hours, etc.
Most tools can give you a time range but schedule isn't always possible, I'm not sure if you can do it with FTK or not. We had to store them separately to do that in AXIOM which makes the filter super easy, just takes a bit more work to process. Some E-Discovery tools will do it but not many forensics tools.
Oh, Axiom can do it? I have Axiom as well.
Ok cool, give it a try. I actually just made a video on that exact thing last week
FTK may be able to do it, I'm not familiar enough with their filtering options but if you have AXIOM too and it gets you what you need, great. Feel free to reach out if you have any questions.