Targeted Server Forensic Collection
Is there any other tool or scripts apart from Nuix collector which can be used on a live server (Windows 2012 r2) that can filter by extension, date and keyword to cull the data prior to collection? I need to extract only specific files based on keyword or date range from a file server.
Thanks thats quite helpful! Apart from powershell is there a commercial or opensource tool that can do this?
When you say Keyword, are you referring to keywords in the file name, or keywords in the content of the file?
Which file types are you interested in? Word DOCX, EMails, PDFs, JPG EXIF?
Office files like DOCX are compressed. So you can't just do a simple grep type operation and hope to match clear ASCII / Unicode text.
What about files in other files. e.g. Files in a VM image, or a Zip file or Email attachments?
What about deleted files and shadow copy files? How deep do you want to go?
This will only be limited to loose files i.e doc, docx, pdf and xls, xlsx, xlsxm.
By keyword i mean searching file name and date range, ideally if there is a way to search keyword within the body of the file that would be better.
Basically what i need is to run a keyword AND/OR date range search across the file server and copy the results onto to an external drive keeping the folder structure and metadata intact.
Would it be better to collect those file extensions first then KWS after on your forensic machine? If you do this on a server, you are putting CPU/RAM of the server to work to do your culling. If you can target collect and process onsite after, it may be more effective and efficient.
Then you can use any tool to image and process.