keyword search

Any Autopsy specific discussions, events, module releases, that don't fall into the other categories.

Moderator: carrier

keyword search

Postby atreis » Thu Jan 21, 2016 1:53 pm

Can you give me exemples of doing a search, with Autosy 4.0, with logical operators?
What option should I use: Exact Matc, Substring Match or Regular Expressions?
Example I want to find the documents where exists the words: bank and compliance
Posts: 1
Joined: Thu Jan 21, 2016 1:45 pm

Re: keyword search

Postby DannySteve2 » Fri Mar 10, 2017 9:16 am

do you still need a help with Autopsy 4.0? If you do please send me a private message so I can help you. Can you tell me more what's your goal?
take care
Posts: 2
Joined: Thu Mar 09, 2017 8:29 am

Re: keyword search

Postby Hoyt » Sat Mar 11, 2017 3:14 pm

Using the Keyword Search Bar at the top right of the UI is for single keywords or regex for a single pattern. Logical and binary operators don't apply. I haven't tested that to be absolutely sure, but I don't think those operators are expanded and are instead applied as a literal character. You'll want to have ran the Keyword Search module already since this triggers indexing in Solr and keyword searching depends on that index. Once you've completed indexing, however, the Keyword Search Bar is very fast, which makes running two separate keywords/expressions manually one after the other a trivial matter.

On the other hand, if you don't want to do that, you can create a keyword list in configuration settings (Tools > Options > Keyword Search) and build your list there even if that list only contains "bank" and "compliance". That always uses logical OR as the method and not anything you would have to explicitly set. When you run the module, any hits will be displayed in the Tree Viewer pane and the data source you ran against will have been indexed, so you'll be able to take advantage of the Keyword Search Bar thereafter. Notice when you look at your results in Tree Viewer that there are two locations that identify whether your hits were identified using a keyword list or using the Keyword Search Bar.

One note of caution regarding lists: If you run the Keyword Search Module more than once, Solr doesn't duplicate previous entries itself, but your results in Tree Viewer will. If you have a keyword list you've already used and you trigger the module to search again without unchecking that list, it will find those same instances as the first time and add them to your total. Therefore, it's important to uncheck lists that you've already used or your totals will double. Autopsy helps you here by providing a marker when the "Run ingest modules" dialog comes up to identify modules you've already ran. Simply uncheck any previously used lists and check any new lists you're interested in.

One more thing, these keyword threads seem to attract people/bots who aren't trying to help you with Autopsy keyword search, so be careful what you reply to and whose advice you take here. If their posts don't explicitly address Autopsy modules, Solr, etc., beware. MODS?!?!?!?!?!?!?!?

Hoyt Harness, CFCE
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR

Return to Autopsy General

Who is online

Users browsing this forum: No registered users and 1 guest