Filtering based on ...
 
Notifications
Clear all

Filtering based on Time in FTK  

  RSS
ForensicMeteor
(@forensicmeteor)
Member

So, we have performed searches filtering dates but now I have a case that involves tracking a user based on work hours. I would think this is something simple but I have been unable to come up with a method to perform this search. My source evidence is email. I need to search for email exchanged during certain hours and I fear I am just over-complicating things. Do I need a regular expression?

Quote
Posted : 04/06/2018 7:05 pm
mcman
(@mcman)
Active Member

Generally that's not very easy to do, timestamps are stored with the date/time together, your tool would have to split and store them separately to build out a schedule like business hours/off hours, etc.

Most tools can give you a time range but schedule isn't always possible, I'm not sure if you can do it with FTK or not. We had to store them separately to do that in AXIOM which makes the filter super easy, just takes a bit more work to process. Some E-Discovery tools will do it but not many forensics tools.

Jamie
Magnet Forensics

ReplyQuote
Posted : 04/06/2018 7:25 pm
ForensicMeteor
(@forensicmeteor)
Member

Oh, Axiom can do it? I have Axiom as well.

ReplyQuote
Posted : 04/06/2018 7:30 pm
mcman
(@mcman)
Active Member

Ok cool, give it a try. I actually just made a video on that exact thing last week
https://www.youtube.com/watch?v=v5ueVdcQqJw

FTK may be able to do it, I'm not familiar enough with their filtering options but if you have AXIOM too and it gets you what you need, great. Feel free to reach out if you have any questions.

Jamie

ReplyQuote
Posted : 04/06/2018 7:36 pm
Share: