Re: [sleuthkit-users] Refining keyword searches

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wed, Mar 12, 2003 at 10:27:03PM -0500, Eagle Investigative Services wrote:
> Hello group, 
> 
> Does anyone know how I could do the following from within 
> Autopsy? 
> 
> I want to search for a certain name, say Foo, and then 
> search only the results for another term - bar? How can this be done?

The short answer is probably no.  You can try the regular expression
of:

	"foo.*bar"

The long answer is that it may not work as well as you would like
because Autopsy does not search by file.  it searches by logical
units.  It just does a grep on the image file and when the keyword is
found, it goes up the tree to find out which inode/MFT allocated the
unit and which file name points to the inode/MFT.  Therefore it has no
notion of ensuring that a file has both keywords in it.

> Can it be done from the command line in TASK? if so
> can someone please walk me through it?

Your best bet would be to mount the image in loopback and run a grep
script.  I have no clue exactly what it would be though.  It would look
something like this for one keyword:

	# grep -H -d recurse "foo" *

Good luck.

brian