Notifications
Clear all

Keywords

5 Posts
5 Users
0 Likes
381 Views
datacarver
(@datacarver)
Posts: 121
Estimable Member
Topic starter
 

I am giving a presentation around searching and keywords. I have some of my own examples, but I was wondering if any of you have any cases where

1) The keywords you used or the process around your keyword development helped you solve your case.

2) You used keywords but found the hot document outside of your search result set.

I want to make it clear that keywords should be used as a tool and not a crutch and that proper interviews and investigative techniques are where the real benefits lie.

I appreciate any war stories.

 
Posted : 10/10/2009 1:35 am
 samr
(@samr)
Posts: 119
Estimable Member
 

It's probably important to emphasis that keyword searching is a heuristic process and has such it may not find all of the results available. Hence, that even with the correct criteria it may not find everything you are looking for. I had an example of this today when I was searching for an email that I knew was there but was not found with a keyword that was in the email. Another keyword search found the file.

The keywords I use are generally purely based on the case I am trying to solve. If I am looking at previous access to a file then I may perform a search for part of the file name to try to easily locate some of the LNK files in restore points, information in IH and also registry information. Keywords provide a great resource to assist in doing this kind of analysis.

Likewise, if I am considering the previous Windows operating systems that may be present on a disk I may search for "registered owner" to try to locate previously deleted DrWatson files and event logs which may provide me easy details about the previous installation.

 
Posted : 10/10/2009 1:48 am
(@seanmcl)
Posts: 700
Honorable Member
 

1) The keywords you used or the process around your keyword development helped you solve your case.

I had a case where a technical support person had claimed to have downloaded an evaluation version of antimalware solution (which was actually rogue antimalware), but claimed not to have downloaded the commercial version which included a program to wipe deleted files and unallocated space. At issue was whether there had been deliberate spoliation of the system prior to it being turned over as evidence.

A keyword search using his real name (instead of the user name) turned up artefacts of the credit card purchase he had made of the commercial solution.

Ironically, that fact pretty much proved that he hadn't wiped the system using that particular software package since the data in unallocated space should have been deleted.

2) You used keywords but found the hot document outside of your search result set.

What comes to mind, immediately, is searching for signs of Javascript exploits where the code has been obfuscated to escape detection. There are too many variations on ways to do this to make it practical to search for them using keywords.

I want to make it clear that keywords should be used as a tool and not a crutch and that proper interviews and investigative techniques are where the real benefits lie.

Well, another situation is when keywords give you too many false positives. I had a case involving a large lumber supplier and a question of whether employees had been disclosing company information to competitors. In this case, the competitor employees in question were named "Wood" and "Cross" (as in "crosscut").

I think that you can see where this is headed.

 
Posted : 10/10/2009 2:30 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

An other aspect - Can a search

.-. .-. . . . . .-. . . .-. .-. . . .-. .-. . . .-. .-. .-.
| |-| |\| | | | | | |- | |\| | ) | |-| | `-. .'
`-' ` ' ' ` ` `-' `-' ' `-' ' ` `-' ' ' ` `-' `-' .
or
888888 88 88 88 .dP"Y8 oP"Yb.
88 88 88 88 `Ybo." "'.dP'
88 888888 88 o.`Y8b 8P
88 88 88 88 8bodP' (8)

and

|\|3\/3R /\/\1|\|D 7|-|15

twisted

 
Posted : 10/10/2009 5:23 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

OT, but not much wink , a very nice article on heuristics
http//niquette.com/books/sophmag/heurist.htm#defin
http//niquette.com/books/sophmag/heurist.htm

jaclaz

 
Posted : 10/10/2009 4:27 pm
Share: