Announcement

Collapse
No announcement yet.

Searching Mail for Attachments Using Search Bar

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Searching Mail for Attachments Using Search Bar

    When I'm in the email viewer I have noticed that when I search for any attachment name in the search bar at the top of the messages I do not get any hits. Is there a better way to do this?

  • #2
    Yes, you seem to be correct. At least for PST files, you can't search for the file name of the attachment in the Email viewer itself.
    We'll have a look at improving this for the next patch release.

    What you can do however is create an index of the EMails and search the index. Doing this will pick up both the attachment file name AND the text content of the attachment.
    The other advantage of doing this is that a full text search will be around 100x faster with the index (ignoring the initial one off index build time)

    Click image for larger version

Name:	Create-index.png
Views:	0
Size:	46.5 KB
ID:	53566

    Comment


    • #3
      Thank you, David. I appreciate it. It would be helpful, at least for those quick-win type situations, to have the ability to find attachments by name though. I worked on a case this week where finding those attachments quickly would have been helpful. It would be a nice addition I believe.

      Mark

      Comment


      • #4
        As a follow-up I indexed all email with attachments. I did not find the PDF file of interest in my case, even though I know it's there. I then did some testing.

        1. I was able to find Zip file attachments by name
        2. I was able to find JPG image attachments by name
        3. I checked the spelling of the PDF I was looking for and did searches for lesser included words - no hits
        4. I did searches for other PDF attachments with no hits, but I did manually find emails with PDF files attached.
        5. I did not exclude any files using that particular OSF setting.

        My process for indexing was this:

        1. Create Index
        2. Use previously saved configuration > "Email and Attachments.zcfg > File Types: .pst;ost;msg;eml;emlx;mbox;mbx;dbx;msf
        3. Pointed to the source (my forensic image, which was the default)
        4. Did not use the Advanced settings (optional) radio buttons
        5. Left the defaults here, i.e. Medium, 4 threads and Use RAM drive for temporary files to speed up indexing
        6. Started indexing

        System Info:
        Windows 10 Enterprise, x64
        32 GBs RAM
        OSF v9.1

        I wish I could forward you the image for analysis, but you know how company policies are. Please advise if I can do additional testing for you, or if I have mis-configured something.

        Mark

        Comment


        • #5
          When making the index you might also need to check the "Office and PDF documents" box.
          (the interface is slightly ambiguous about this point: i.e. The indexing of PDF attachments indexed if you have checked "attachments" and unchecked PDFs).

          Then don't index the whole hard drive (unless you want to), but instead just start the indexing process in the folder that contains the EMails.

          Comment

          Working...
          X