How to Use Indexing in Searches with Forensic Explorer in Three Easy Steps

Index Searches with Forensic Explorer

 

I’ve been around the block a few times over the years with digital forensic tools. I’ve used all the major computer forensic tools and apps like XRY and Cellebrite for mobile forensics.

So I mean it when I say that Forensic Explorer may be the best-kept secret in digital forensics. Seriously.

The fully featured suite of tools, packs all the punch of much higher priced tools on the market for less than a third of the price(HUGE).

And it’s easier to use, which is good for an old forensic monkey like…um… me.

One of the powerful features built into Forensic Explorer is index searching – I know that indexing has been a lifesaver for me before on cases. In this short how-to, I will show to create an index in your case in Forensic Explorer to quickly search for keywords. I hope that you will find the indexing feature as helpful in casework as I have.

Before we begin however you may be wondering – “What’s an Index?”.

That’s a fair question.

An index is like a database of text strings extracted from files or space on an evidence image. Forensic Explorer leverages the well-known and respected DTSearch engine to create and search such indexes.

Now that you have a basic understanding of what an index is, let’s move on to the three steps to using the Index Search module in Forensic Explorer: Setup, Create and Search.

 STEP ONE – SETUP

Creating an index in Forensic Explorer is a simple affair but – as in most things in life – there are some things to take into consideration prior to creating an index for searching.

The first thing you may wish to do is to head over to the DTSearch site – http://bit.ly/1tkFJTt – and take a quick look at the files that DT Search indexes. There is a better than average chance that most of what you are looking to index is located here. While this step is not necessary, it might be useful for understanding how the engine works and what to expect from using it.

Forensic Explorer stores the indexes it creates at

C:\Program Files\Forensic Explorer %vX%\Cases\%case name%\DTSearchIndexes\index name\

Where %vX% is the version number and %case name% is the name that you have assigned the case. The indexes created are approximately one fourth of the size of the original files indexed but there is a wide index size variance possible depending on the size and amount of files in the index. Examiners should make sure there is plenty of storage room on the examination medium for indexes.

There are some words so common that the software will treat them as “noise”. Words such as “of and “the” in the English language would fall into this category. Forensic Explorer does not index and ignores noise words. The so-called “noise” words are stored in a file called “noise.dat” located at – in Windows 8.1 – C:\Program Files (x86)\GetData\Forensic Explorer %vX%\.

Other versions of Windows will store the noise.dat file in “Program Files\Get Data\Forensic Explorer” in the appropriate version number.

The noise.dat file is a plain text file editable with any text editor like notepad. The words are not in any order and wildcards such as “*” or “?” may be used. For an explanation of wildcards see the Webopedia entry at http://bit.ly/1oSFv6i or Google “wildcard in programming”.

Once an examiner has created an index, Forensic Explorer stores a noise.dat file for that index. Changes to the original will not affect the created index – only subsequently created ones.

As a final consideration before creating an index, the examiner may want to perform basic recovery functions against the evidence such as recovering folders, file carving, decrypting files or uncompressing archives that DT Search does not automatically support. The purpose in doing such actions is to allow Forensic Explorer to see the data as files and aid the engine in indexing.

 STEP TWO – CREATE

You have two options when you create an index in Forensic Explorer – index individual checked files in the File System, Email and Registry modules or index the entire case.

To search individually checked files in the File System, Email and Registry Modules switch to the appropriate modules and select the files you want indexed and then go to the Index Search module.

Once in the Index Search Module regardless of searching individual files or the entire case click on the “New Index” button which will bring up the new index window dialog as shown below.

 

New Index

Creating a new index

 

You will need to name the index. Make sure to make it a name that is descriptive of the search task you are trying to perform such as “Bunny Lebowski Hits”. In the items to index section, you will need to select which module you wish to search. This will be the aforementioned File System, Email or Registry modules.

You will now need to select the second radio button labeled “Checked Items”. This should not read “0 items, 0 bytes”. If it does, double check that you are 1) On the right module that has the files you wish to index and 2) You have items checked for indexing in that module. Finally If selecting individual files for indexing, make sure you check the box to include “Raw Devices, Partitions and Files”.

 

Index Checked Items

Index Checked Items

 

If you are indexing the entire case, go to the Index Search module and keep the selection on the File System module. Remember that the “searchable items” is all the data that Forensic Explorer sees as files – hence the reason why you may wish to perform data recovery and carving functions prior to creating an index.

There is the option for indexing unallocated space when indexing the entire case. Simply check the box to enable this option. If you don’t know what unallocated space is, go to the Center for Computer Forensics at http://bit.ly/1kprEkK for a detailed explanation.

For me indexing unallocated space while time consuming on the front end is a huge help. In the past, I’ve used regular expressions to search these areas and while these are extremely effective, they are nowhere near as fast as searching an index.

 

Indexing an Entire Case

Indexing an Entire Case

 

Whether you are indexing a selection of files or the entire case, you also have the option of having file slack indexed via the additional options checkbox. Again, for an explanation of file slack see the Center For Computer Forensics at http://bit.ly/1jDUQpx.

After making sure you are indexing what you want, press the “Ok” button and Forensic Explorer will begin to create the index. FEX will show you its running the index creation task both in the indexes window and in the process list in the bottom left of the program.

 

Running index

Running Index

 

Index Process Running

Index Process Running

Once Forensic Explorer has finished creating the index, they are available for searching in the index window.

 

Finished Index

Finished Indexes

 

 STEP THREE – SEARCH

To search an index check the box next the index you want to search. Now enter in the word that you want to search the index for in the text box next to the search button.

Forensic Explorer will begin to automagically fill in search hits. Forensic Explorer will display the word in the index, the number of times the word occurred in the index – called the “Word Count” – and the number of times the word occurs in a document called “Doc Count”.

Basic Index Search

Basic Index Search

 

To see the results of the search, double click on the word in the results window for further analysis. Forensic Explorer will then display the results in the Index Results pane. To explore the hits further select a hit from the results pane. Forensic Explorer shows the selection highlighted in yellow in the Search Hits pane below the index results pane.

 

Search Hits

Search Hits

 

That’s it! Easy huh? From the Search Hits pane, you can look through more hits or bookmark interesting results.

SEARCH TIPS

The last thing I want to cover are some tips to aid you in searching the index you have created. I’ve used each of these – and combinations of these – in my casework with Forensic Explorer and I hope you can make good use of them too.

In the Search Hits pane, you can scroll through the highlighted hits by clicking on the marker arrows displayed in the upper left of the pane.

 

Search Scroll

Search Marker Arrows

 

Forensic Explorer also has three options for searching an index that can be chosen by selecting the option located below the search box. The options are as follows.

Stemming

This option searches for other grammatical forms of the word for which you have chosen to search the index. For instance, a search of “lift” with the stemming option applied would also find “lifting”. Custom stemming rules can be formatting by editing the stemming.dat file located at “C:\Program Files (x86)\GetData\Forensic Explorer %vX%”. You may also find more information on stemming on the DTSearch site at http://bit.ly/1lRlfwT.

Phonetic Searching

This option when selected searches for words that sound similar to the one searched for – for instance a search of “plane” with the phonetic search option selected will also find “plain”.

Fuzzy Search

This option accounts for typographical and scanning errors.

 All of these options are not exclusive and can be stacked to include all options while searching.

Boolean Searches

Within the text search box Forensic Explorer allows for Boolean – see http://bit.ly/RV2cc0 – expressions in searching indexes. Forensic Explorer allows this type of index search to connect words or phrases. For instance, a search of “Carlos and package” requires that both words be present for there to be an index hit. For more information on how to use a boolean search with Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX .

Wild Cards

Finally, you can use the following wildcards in your index searches.

 

*         to search for any number of characters

?         to search for any single character

=         to search for any single digit

 

The wildcards can be used anywhere in the word being searched. For instance using the “*” after “kill” would match “kills”, “killed” or “killing”. For more information on wildcards and how to use them in Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX/.

In this article, I showed you how to create an index within a case in Forensic Explorer to quickly search for keywords using three easy steps. Along the way, we looked at advanced index search options like stemming and wildcards.

Forensic Explorer is an amazing new tool that with its full forensic suite and affordable price I have made my go-to Windows forensic application. Don’t miss out on this amazing new tool. If you haven’t already tried it out go and grab an evaluation copy at http://bit.ly/1oH1Xgr.

I hope you found this short how-to useful. If you did, drop me a line at linuxchimp-at-gmail-dot-com and let me know. I’d love to share some more reviews of FEX features and how-to’s for everyone.

I wish everyone the best in their forensic endeavours!

 

Photo Credit: _Untitled-1 via photopin cc

Advertisements

3 comments

  1. Josh

    Thanks for the post.

    Does Forensic Explorer include any features not currently offered by EnCase? Obviously the price point is substantially less, but I’d like to know if there’s any reason to use this if we are already using EnCase. Also, do you know if there are decryption suites available (e.g. Sophos, BitLocker, etc.)? I did not see any information about this on the product website.

    Thanks,
    Josh

    • numenorian

      Josh-
      There are no decryption suites currently available for the product but you can contact the developer if this is an urgent need to have put into the tool. They are very responsive to examiner requests.

      Alternatively since FEX is so configurable you can add button links to third party suites inside the program. It just takes a little script hacking.

      Some other reasons you may wish to have Forensic Explorer in the tool chest

      Firstly, it has a very user friendly and configurable interface. If you are distributing your case load to investigators who may struggle with using EnCase, then FEX is a good alternative. It does not take long for an average computer user to find their way around.

      You can even configure FEX to work with mobile phone images by working the scripting interface. Carve binary phone dumps with GetDatas great recovery engine (they created phone image carver)

      FEX works nicely with shadow copy. You can mount and browse shadow copy files easily.

      Forensic Explorer – as previously alluded to – has a full scripting back-end. The scripts are written in Pascal so any programmer can be tasked with creating scripts. It comes with some very useful scripts, such as skintone analysis and metadata extraction. I may consider doing a series on scripting.

      Conversion of forensic images like an AD1 image into L01 format.

      FEX comes with Mount Image Pro on the same dongle (GetData is author of both). If you don’t know about MIP check it out (http://www.mountimage.com) its been around for a decade or so and is great for mounting all kinds of images including EnCase and VMware.

      Lastly, and I think this is a big one – you have the opportunity to speak with GetData directly and shape the way the tool can work for you. They are keen to make this the best tool out there for forensics.

      I hope this helps a bit!

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s