Reset the results of Keyword hits, is it possible ?

A place to ask the community for help with using Autopsy.

Moderator: carrier

Reset the results of Keyword hits, is it possible ?

Postby inazo » Mon Jun 27, 2016 4:06 pm

Hello all,

I have a question is it possible to reset the "Keyword Hits" for a specific case ? Because i need to modified my keyword list, but when i make an other search it cumulate the result...

Best regards,
inazo
 
Posts: 1
Joined: Mon Jun 27, 2016 4:00 pm

Re: Reset the results of Keyword hits, is it possible ?

Postby Hoyt » Tue Jul 05, 2016 9:55 pm

I'm doing some testing on that myself. It has to do with the SQLite db. Most ingest modules, when ran more than once, will accumulate results without de-duplication. It's not hard to de-duplcate SQL per se, but doing that to the Autopsy db is turning out to be trickier than I expected.

While there are several perfectly valid reasons for an examiner to want to re-run a given ingest module, I think it's the developer's intent that they should only be run once (at "ingest") and no more unless a new data source is added. Further keyword searches are provided via the main UI. The problem, as I see it, is that it's not practical in all cases, or even desirable in some cases, to run all ingest modules at the time of actual case ingest. For example, it might not be desired at case ingest for an examiner to run the Embedded File Extraction Module. If he/she runs the Keyword Search Module at case ingest, however, then later decides to run the Embedded Files Extraction Module, those extracted files won't have been searched against the examiner-supplied keyword list(s) contained in the Keyword Search Module. The examiner has a choice, then, of re-running the keywords module and skewing the results counts or manually checking each word one by one. That's not fun either way. I tend to have a significant number of keywords in my lists. Worse still, the Keywords Search Module also runs indexing, which means that the keyword module will have to be ran again anyway in order to index words from the expanded files. The index itself (SOLR, not SQLite) doesn't appear to accumulate duplicate results like the SQLite db does and the module can be ran without selecting any lists. In that case, the new files are indexed and no keyword totals will be changed.

I'm still trying things out with this. If I come up with a solution for painless de-duplication that doesn't corrupt anything, I'll post it here and file it either as a bug report or feature request (depending on the solution... if any).

Hoyt
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR

Re: Reset the results of Keyword hits, is it possible ?

Postby Hoyt » Tue Jul 05, 2016 9:59 pm

I should also mention that the Basis team are looking at the possibility of separating indexing from the keywords option. That will clear up some possible confusion with regard to that.
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 1 guest

cron