Advanced Searching
Forensic Toolkit (FTK) includes several advanced search features, such as searching file list columns and for Internet keywords.
This chapter contains the following information about advanced searching:
“Searching the Main Viewer” on page 172
“Searching the File List Columns” on page 172
Searching the Main Viewer
If you want to search the file currently displayed in the main viewer, you can use the following options in the viewer toolbar:
Note: These options are only available when viewing text-based items.
Searching the File List Columns
You can search for a term, such as a filename, in the File List. To search for a term:
1 Select Edit, and then Find File in List.
2 In the Find What field, enter the term that you want to find.
3 In the Column drop-down list, select the columns to search.
4 Click Find Next.
The first match is highlighted in the File List.
5 Continue to click Find Next to locate all matches.
Option Description
In the text field, enter the string that you want to search for in the currently displayed item.
Highlights the previous instance of the search string in the viewer. Searches backward in the current file. Does not search the previous file.
Highlights the next instance of the search string in the viewer. Searches forward in the current file. Does not search the next file.
Searching for Internet Keywords
The Internet keyword search finds Internet keywords, such as http, www, com, net, and org. You can search for both URL and e- mail related strings.
Important: Evidence items must be indexed before you can perform an Internet keyword search.
The following table outlines the URL search options:
The following table outlines the e-mail address search options:
URL Option Description
http://... Searches for text that starts with http://.
www. ... Searches for text that starts with www.
... .com Searches for text that ends with .com.
... .org Searches for text that ends with .org.
... .net Searches for text that ends with .net.
... .[empty field] Searches for text that ends with the domain name that you enter in the box.
E-mail Address Option Description
...@... .com Searches for e-mail address that ends with .com.
...@... .org Searches for e-mail address that ends with .org.
...@... .net Searches for e-mail address that ends with .net.
...@... .[empty field] Searches for e-mail address that ends with the domain name that you enter in the box.
To search for Internet keywords:
1 Select Tools, and then Internet Keyword Search.
2 Select the URL-related strings you want to search.
3 Select the e-mail related strings you want to search. Because the index only captures discrete words, you cannot search for full e-mail addresses, such as
[email protected]. You must search for discrete components within the e-mail address.
You can check options in both the URL and E-mail
columns.
4 Click OK.
Viewing Internet Addresses
When the process is complete, the detached viewer appears with the Internet address search results.
The Internet Search Results window contains the following information:
To view an item, select the Internet address you want to examine. The item containing the Internet address appears in the viewer with the address highlighted.
You can save the entire list of Internet keywords or you can bookmark specific Internet addresses and save them to your case. See “Saving Internet Keyword Search Lists to the Case” on page 175 and “Bookmarking Internet Keyword Search Items” on page 176.
Saving Internet Keyword Search Lists to the Case
If you want to save an Internet Keyword Search List to the case:
1 In the Internet Search Results window, click Add List to Evidence.
2 Click OK.
The list is saved as an HTML file to the case_name\Attach folder. FTK names the file using the following date and time format:
Web Scan YYYYMMDD-HHMMSS.htm.
For example,
Web Scan 20040421-205740.htm.
Column Description
File Type The type of file, for example, an e-mail message or an unknown file type.
Filename The filename.
When a filename is not recoverable, the file is listed with a default name.
Full Path The full path of the file.
Internet Address Displays the full Internet address that contains the keyword being searched for.
The file is also added to the case and can be viewed in the Documents container in the Overview window.
Bookmarking Internet Keyword Search Items
If you want to bookmark an item containing Internet keywords:
1 Select an Internet Address.
2 Click Create Bookmark.
3 In the Create New Bookmark form, enter the following:
4 Click OK.
Interface Description
Bookmark Name The name of the bookmark.
Bookmark Comment Any additional information about the bookmark and file. Apply Bookmark To Displays filename and path of the bookmarked file. Remember File
Position/Selection
Remembers the highlighted text in the bookmarked file and automatically highlights it when you return to the bookmark. The highlighted text also prints in the report.
This option is available only if the first file in a bookmark is selected. Include In Report If checked, includes the bookmark and its files in case reports. Export Files If checked, the files included in the bookmark are exported when a