Can you think of a way to accomplish this in FTK?
FTK Case (Keywords in the evidence list)
1 bat
2 ball
3 basketball
4 football
5 baseball
6 coach
7 car
8 house
9 dog
I.E. I want to remove anything with ball in the title, body, email, document, etc. So I check the boxes with ball, basketball, football, baseball and successfully export those items/files for review, but now I need to export ONLY (the non checked items) i.e. the remaining items which don't have the word ball in them, so items 1,6,7,8,9 (but for this example lets say there are 50k total evidence items so just using the mouse wheel and going down to check each item would take forever.)
So the screen would look like below, the items which are checked would be exported (but still remain in the case) I'd like to take every item that isn't checked and export those items. I as well as another few people thought this is possible somehow. I thought something like highlight one item scroll down and hold shift to highlight others, (but of course that highlights even the checked items)
bat
*ball
*basketball
*football
*baseball
coach
car
house
dog
There is a way to export all checked items or export all highlighted items, so I thought there might be a way to export all items not checked. Or go to all evidence items and sort by checked items?? (the little sort up/down arrows (see below) where all the checked items are now all sequential, and I could then start with bat (highlight bat and hold down shift all the way through dog) and I would have all non checked items ready for export (if it didn't crash the computer or error it out based on exporting thousands of items.
*ball
*basketball
*football
*baseball
bat
coach
car
house
dog
This is for FTK, not Encase or any other software package
Thanks for any help or suggestions, Give me your crazy ideas or anything which you think may work. I've got a test image I made up to run it through the gauntlet, and if you post it, I'll give it a go.
I hope that suggestions from this will help others who may have had the same type issue come up or people in the future who may run into this.
Have a great evening, and a good morning.
P.S. FTK Supports answer was that FTK can't do this, but to contact Sales to look into buying their other product which may help. -)
I would probably do a regular expression search for bat or coach or car or house or dog and not (ball), and then export the results of the live search - or are you only using the index search?
FTK Supports answer was that FTK can't do this, but to contact Sales to look into buying their other product which may help. -)
Nice…
I concur with the regex search.
The difference here is that what I provided you with was made up but I did add there are around 50k items so of that you would get a list of 10,20, maybe 100 words, everything else is what needs to be removed. So you could be doing 100 reg expressions and I'm guessing a regular expression live search across the entire drive for everything but 100 keywords would literally take forever.
I'll keep it in mind though, thanks for the input.
I would probably do a regular expression search for bat or coach or car or house or dog and not (ball), and then export the results of the live search - or are you only using the index search?
dtSearch has a NOT option
Use NOT in front of any search expression to reverse its meaning. This allows you to exclude documents from a search. Example
apple sauce and not pearNOT standing alone can be the start of a search request. For example, not pear would retrieve all documents that did not contain pear.
If NOT is not the first connector in a request, you need to use either AND or OR with NOT
From dtSearch User's Manual.