Announcement

Collapse
No announcement yet.

Consolidated list of search results?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Consolidated list of search results?

    Let's say I have done a search of a bunch of emails (.EML files) using a file containing a list of search terms. The history windows shows for each term how many emails contained it. I can click on a search time in this history list and go to a display of all the emails containing the search term. Different search terms may very well refer to the same emails.

    However, this is not quite what I want. I want a consolidated list of all emails which contain any of the search terms in the list. Is there a way to get this?

  • #2
    How many search words do you have in your list?

    One solution which should work for a small number of words is to enter in all the words in single search, then click on the Advanced button and select "Any search word".

    e.g.
    Dog Cat Bird

    Doing this will result in a single search being done. The result set will be all the E-Mails that contain either Dog, Cat or Bird, without any duplicates.

    Comment


    • #3
      There's the rub. My list of search terms is quite long; maybe 70 items, many of which are phrases (in quotes).

      Comment


      • #4
        Assuming you have the latest V1.2 release of OSF, here is another idea.

        Do all your 70 separate searches.

        From the history tab select all the rows corresponding to your searches, then right click and select the option, "Display search results and add to case".

        Let this finish.

        Open Windows Explorer then navigate to your case folder. This will be were you put it, but by default it is in this folder,

        C:\Users\<USERNAME>\Documents\PassMark\OSForensics \Cases\<CASENAME>\Emails

        In this folder you'll find a list of E-Mails that were added to the case, all extracted from the archives and converted to HTML. Typically there are 4 files per E-mails.

        So for each E-Mail there will be files like this,
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_menu.html
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_index.html.OSFMeta
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_index.html
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_header.txt

        The exact file names will vary depending on the source (.PST, .EML, etc..) and the number of formats in the E-mail (txt only, RTF, HTML, etc..)

        Tip #1: You can view the E-Mail in a browser by double clicking on the '_index.html' file.
        Tip #2: More detail about the E-mail, like hashes and source path is available in the .OSFMeta file.

        Now in the case of duplicate E-Mails being added to the case, they will appear like this,
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_index.html
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_index(1).html
        Archive-201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 00_index(2).html

        Shouldn't be too much work to remove the duplicates at this point.
        e.g. in DOS you can do a,
        del *(1).*
        del *(2).*
        del *(3).*

        So while it isn't very elegant, you should be able to get a result.

        In V2.0 we are going to add a overwrite option when adding EMails to the case. This will optionally prevent duplicates.

        Comment


        • #5
          Very nice solution. And it's not all that inelegant.

          I thought of another method. Go to the directory Cases\Index\<Index Name>\History. There you find files containing the search results for each of the many terms. One could easily write a little perl program to extract the unique email filenames from all these files.

          Do you think this would work?

          Comment


          • #6
            Yes, the best solution really depends on what you need as output.

            Do you want an actual copy of the E-Mail, it's header, etc..

            Or do you just need a count of EMails that match search words.

            Or do you want just a list of E-Mails. A list of E-Mails isn't as useful as a list of files, as there is no universal standard for naming a particular E-Mail. That is to say, you can tell someone that E-mail, "201200000000AAB91DC737588D40B9EA79BB6E9B772BC4E428 " is suspicious, but finding this E-Mail again on a hard drive isn't trivial.

            Comment


            • #7
              Thanks for your advice. In the interim I tried out the perl program solution and it worked like a charm!

              Comment

              Working...
              X