What is the difference between live and index search?
In FTK, index search, searches the index, where as a live search runs over all the data (like an EnCase keyword search).
Whilst you can use dtsearch queries against the index such as forensic w/2 focus, you can not run regular expression searchs, you would need to run that as a live search. Depending on your indexing options you may also need to live search for special characters like '@' if it is excluded when indexing eg. an email address jamie@forensicfocus.com
The upshot is, index search is fast (all the processing is done upfront) once its indexed, where as live searching can take a while.
Ive never understood why a regular expression couldnt be run against the index, perhaps someone in the know could explain ?
Great explanation. That makes sense now. Thank you.