Is it possible to perform complex searches of indices using search operators ("AND", "OR", "NOT", etc.) or regular expressions? If so, do you have some instructions on how to do it? If not, this would be an extremely valuable feature to incorporate into the product.
OSForensics Advanced Search syntax
AND / OR
You can select AND or OR from the advanced window (Click on the "Advanced" button).
You can use wildcard characters '*' and '?' in your search terms to search for multiple words and return larger set of results. An asterisk character ('*') in a search term represents any number of characters, while a question mark ('?') represents any single character.
This allows you to perform advanced searches such as "zoom*" which would return all pages containing words beginning with "zoom". Similarly, "z??m" would return all pages containing four letter words beginning with 'z' and ending with 'm'. Also, "*car*" would be a search for any words containing the word "car".
An exact phrase search returns results where the phrase of words are found, in the same order that they are specified. For example, an exact phrase search for the words "green tea" would only return results where the phrase 'green tea' appears. It would not return pages where the words 'green' and 'tea' are found separately, or in a different order such as, 'tea green'.
To specify an exact phrase search term, you need to enclose the words that form the phrase using double quotation marks. You can also combine the use of exact phrase searches with normal search terms and wildcard search terms within a single search query (eg. "green tea" japan*). Note however, that wildcards within exact phrases (eg. "green te*") are not supported.
You can precede a search term with a hyphen character to exclude that search term from being included in your search results. For example, a search for "cat -dog" would return all pages containing the word "cat" but not the word "dog".
so.... I have found some oddities...
In Search Index
In the advanced button you can put in email addresses in the
From, To, CC fields.
But these fields seem to be "AND" together, so you would have to run 3 separate searches for each field with your keywords
So I want to be able to put in the same email into all three and have it be "AND/OR" so one search gets them all
I have 213 emails that have a certain email address and also have the word lunch in the content, right now I have to run 3 searches, From, To, CC with the keyword Lunch and that email in each field to find them all. I get From:113 emails, To:50 emails, CC:44 emails...
Each field named above, is also an "AND" so if I have two emails in the From field, both have to be in the from to be a match, this should be "AND/OR"
My Opinion is get rid of this email stuff, and let us just put email addresses in the search field or wordlist file, and it will pick up on them and search the body and the header(From,To,CC) etc...
or give us a builder, that allows us to add items, and set each one to "AND" or "OR" or "Exact Phrase", or whatever...
Thanks for the feedback.
We're planning to change the e-mail indexing in the next version so that the Header itself (containing the e-mail addresses, along with IP addresses as such) gets indexed as main content that will be searchable via the main "Enter Search Words" text field. In doing so, you will also be able to use AND or OR by switching the option to "match any search words" or "match all search words".
Exact phrases are possible in the main search field by enclosing in double quotes.
Whats your ETA on a new release?
Maybe you could have a regular mode and an expert mode where you could use regular expressions in expert mode???
That would be way to go!!!
I am a software developer 16+ year myself.
Thanks! for your hard work!
We should be able to include it in the V2.1 release, which is currently in beta.
Find V2.1 should be out before the end of the month (July 2013).