Looking to add key words on-scene? ADF has you covered. In this how-to video, investigators and analysts will learn how to add keywords directly from the Collection Key. As a digital evidence investigator, ADF provides the ability to create a collection key with or without Search Profiles and add keywords just before the start of a scan.
In this video, you'll look at a prepared digital forensic Collection Key and walk through the process of adding keywords.
First, users will want to select their drive or partition to scan. The next step is to select your preferred Search Profile and give it a scan name; you have the option here to change your label.
In the center above the Search Profiles is a button to add keywords. This allows users to add a keyword capture for their particular scan without having to reconfigure the Search Profile. ADF empowers users to adapt and overcome when tasks change on scene or new information comes to light!
When investigators select the keywords, they are presented with the creation of a new keyword capture. There are two steps to carry out at this point. First, change the name of the Capture Group and Capture Name. Second, enter the keywords, select auto-tag, and comment.
For the quickest option, search file names and folder names. This is because when the scan begins, the first thing complete will be a listing of all file and folder names, and keywords will be run against this list. These scans are fast, seamless, and give us the readily usable low hanging fruit.
The second task is the parsing of artifacts. Keywords will also be run against these artifacts, such as WebBrowsing, USB History, Applications, Downloads, E-mail, Messaging, P2P, and so on. Guess what? This process is also fast and seamless.
If you have time to spare, the alternate method is to add file content and metadata, which will present a few more options to select related to the File Content and Metadata.
The question investigators must ask themselves are:
- Do I want to search just documents (faster) or documents, internet files, and text files (slower)?
- Do I want to search only the user profiles (faster) or entire drive and deleted (slower)?
- How do I want to identify files, File Extension only (faster) or Thorough ID (slower)?
Remember to try and keep this in line with the profile chosen. Once all the choices are made select SAVE and the keyword capture will run along with your search profile.