±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 225

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Searching the Search Hits =)

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

tebodell
Member
 

Searching the Search Hits =)

Post Posted: Mar 24, 05 11:48

Hey all--

There's gotta be way to do this but i have failed to locate an efficient way in my initial research. So EnCase by default can flag all URL strings with a compound GREP search expression. That sometimes yields hundreds of thousands of url strings. But I want to re-search those hits gathered in the URL string query but only for a few keywords. Whats the best way to do this? I've tried exporting the search hits for the URL strings, uniq'ing it (unix util that removes duplicate lines), and then using a for() loop to run through the file of search hits grep'ing for my keywords but that didn't work because when i exported it there was control characters or misc line breaks in the text so the grep's failed Sad

Should I try a compound (very very long) GREP search expression to include a few keywords via OR like (keyword1)|(keyword2)|(etc). I'm still working on being crafty with the regex searches but I thought maybe someone that was thinking clearly could hint me at another option Smile

Thanks in advance, any feedback appreciated Smile

--Ty  
 
  

Andy
Senior Member
 

Re: Searching the Search Hits =)

Post Posted: Mar 25, 05 14:17

What exactly is it that you are trying to achive?

By using GREP or keywords across the whole image, or even just in the unallocated will result in countless hits that are completely irrelevant. Web pages that once existed in the TIF that now reside as artefacts in unallcated may contain many urls engrained in the page (links, adverts, hidden popups, etc) that don't actually prove any mens rea (guilty knowledge).

EnCase versions 3 and 4 do not have a hit search facility. You are stuck with the hits, short of exporting out the results as a .doc or .xls file which you have already done.

You can actually make a search for the search hits by making your own filter, and using queries to work upon the 'columns', but quite how you would do this is non-trivial.

There is a HTML carver script that allows you to use keywords to refine the url hits.

I use Net Analysis (www.digital-detective.co.uk) to examine Internet History.

Andy  

Last edited by Andy on Mar 28, 05 11:32; edited 1 time in total
 
  

tebodell
Member
 

Re: Searching the Search Hits =)

Post Posted: Mar 25, 05 19:21

Ah, HTML Carver looks like what I was looking for. Thanks for the response Andy, appreciate it.

--Ty  
 
  

daveg
Newbie
 

Re: Searching the Search Hits =)

Post Posted: Mar 29, 05 15:33

You could export all the rows from EnCase and then read them into a MySQL table.

Then you can use SQL to search.

I do this sometimes, for example if I want to count unique pictures I export the md5 into a table. Then create another identical table but include unique. Then use insert ignore to count duplicates
_________________
If at first you don't succeed, try a bigger hammer 
 

Page 1 of 1