I recently read the article about the Oxygen forensic suite v1.2, and was curious.
If the oxygen forensic suite can get a search engine to make life easier when searching mobiles, couldn't computer based forensics get a more simplified search engine?
I am aware that encase has a search engine of sorts that uses GREPS (cannot remember if FTK has one).
So instead of typing every possible way to spell something the search engine could search it for you and retrieve them and other data about said files/data.
Some forensic tools' search engines use a function that's intended to detect spelling errors, but the greater the degree of fuzziness in a search, the longer it's going to take. That's your trade off… well constructed searches take less time than letting the computer try to figure it out for you.
Greetings,
The longer it will take, and the more hits you're likely to get.
Constructing good keywords and searches is part science, part art and is one of the things that a good forensics or ediscovery practitioner brings to the table that usually isn't spelled out on their resume or website.
-David
David raises another good point. If you increase your fuzziness, you'll also get a lot more false positives that you'll need to weed out by hand, which will increase your human time. Although we mostly bill by the hour in forensics (as opposed to ED which seems mostly quantity billed) our clients expect quite rightly that our methods are designed to reduce the human time to what's reasonably necessary.
and also consider the size of hard drives compared to mobile phones, currently mobiles on average are around 8odd gig, you get the odd 16gig units and the iphones, but most mobiles don't hold massive amounts of data (well compared to PC's)… so less data coming back, means less false positives etc.. but anything to make investigative life easier is always useful.
the idea I had for it was to be used as a brief map in a sense to help the investigator by showing them where possible information my be.
thanks for your input though )