Digital Forensic News & Events
Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics


Back to News

How To Add Keywords On Scene

Posted by Richard T. Frawley on January 31, 2020
Richard T. Frawley

Looking to add key words on-scene? ADF has you covered. In this how-to video, investigators and analysts will learn how to add keywords directly from the Collection Key. As a digital evidence investigator, ADF provides the ability to create a collection key with or without Search Profiles and add keywords just before the start of a scan.

In this video, you'll look at a prepared digital forensic Collection Key and walk through the process of adding keywords. 

First, users will want to select their drive or partition to scan. The next step is to  select your preferred Search Profile and give it a scan name; you have the option here to change your label.

In the center above the Search Profiles is a button to add keywords. This allows users to add a keyword capture for their particular scan without having to reconfigure the Search Profile.  ADF empowers users to adapt and overcome when tasks change on scene or new information comes to light!

When investigators select the keywords, they are presented with the creation of a new keyword capture.  There are two steps to carry out at this point. First, change the name of the Capture Group and Capture Name. Second, enter the keywords, select auto-tag, and comment. 

For the quickest option, search file names and folder names. This is because when the scan begins, the first thing complete will be a listing of all file and folder names, and keywords will be run against this list. These scans are fast, seamless, and give us the readily usable low hanging fruit. 

The second task is the parsing of artifacts. Keywords will also be run against these artifacts, such as  WebBrowsing, USB History, Applications, Downloads, E-mail, Messaging, P2P, and so on. Guess what? This process is also fast and seamless. 

If you have time to spare, the alternate method is to add file content and metadata, which will present a few more options to select related to the File Content and Metadata. 

The question investigators must ask themselves are: 

  • Do I want to search just documents (faster) or documents, internet files, and text files (slower)?
  • Do I want to search only the user profiles (faster) or entire drive and deleted (slower)?
  • How do I want to identify files, File Extension only (faster) or Thorough ID (slower)?

Remember to try and keep this in line with the profile chosen. Once all the choices are made select SAVE and the keyword capture will run along with your search profile.

How to Create a Keyword Capture

Topics: Digital Forensics, Digital Evidence Investigator, Triage-G2, Triage-Investigator, Computer Forensics, Forensic Software, Forensic Analysis, How To Video, Mobile Device Investigator, Cyber Forensics, Digital Evidence

Posts by Tag

See all

Recent Posts