120 The Information Company
The following file type search parameters are available:
• Archives
• Databases
• Documents
• Emails
• Multimedia
• Pictures
• Custom
Each type other than Custom has a predefined list of extensions known to be associated
with that type of file. The lists can be seen by tapping the blue help button (circle with
question mark) to the right of the file type parameter field. All extensions associated with
each file type are found in “File extensions” on page 137.
Using the Custom field allows for manual entry of any extension values to match against.
The entry of custom extension values is done outside of the pull-down selection box.
The forensic log associated with the logical image job contains exactly what extensions
were used for each search, along with which selections were used to create that list.
Note: Searching by file type does not use file signature analysis to determine what type a
file is. Only the file name extension is used to determine a match. If file signature analysis
is required for a given job, a physical image should be made (possibly in addition to a
logical image) to ensure all source data is available for use with external forensic data
analysis tools, such as EnCase Forensic.
4.5.2.2 Path
The Path search parameter restricts the search to apply only to files with a specific, user-
defined string in either the filename or directory path. A field for entering the desired
search string appears after selecting one of the options. The Path search parameter
options are as follows:
• Filename Contains – restricts the search to only apply to files that contain the given
string somewhere in the filename.
• Path Contains – restricts the search to only apply to files that contain the search
string somewhere in the full path (directory or filename).
Wildcards can be used to search for only a portion of a file or folder in a path-based
search. The available wildcards and examples for each are shown in the table below.
Note that this wildcard search is based on the Linux glob search rules, which can be
referenced online for additional information.
Note: While wildcard searching can be a powerful tool to quickly search for files of
interest, it is critical that these wildcard rules are fully understood before making use of
them in an actual case job. Misunderstanding exactly how a given wildcard rule will
function could result in inaccurate search results and missed evidence.
Copyright © 2022 Open Text. All rights reserved. Trademarks owned by Open Text.
To Next Page
Loading...