+1 (650) 272-0384

Advanced filters in Belkasoft X

Advanced filters are available in the Belkasoft X File System viewer and allow for complex filtering of files using various criteria and their conjunctions for the sake of digital forensics, cyber incident response and first steps of electronic discovery.

Creating a filter

You can create an advanced filter by choosing the "Advanced filter" tab of the "Add a filter" window:

There are two options available:

  1. Add a criterion. This option will add a named criterion from a list of available criteria.
  2. Add a saved filter. This option will allow you to select from filters saved before.

You can filter files by file system criteria such as various file times (including calculated local times), by size and path, even whether a file was deleted or not. You can also filter blacklisted or whitelisted files, based on hashset analysis result. To quickly locate a criterion, you can type its name in the "Name" text box.

Conjunctions

There are two conjunctions available:

  • AND. This conjunction means that both criteria must be met. It also can be treated as an intersection of its logical parts

  • OR. This conjunction means that any criteria can be met. It also can be treated as a union of its logical parts

Order of precedence

You can define as many criteria as you would like in your filter. The precedence of multiple criteria evaluation is "left to right":

A AND B AND C OR D AND E is interpreted as (((A AND B) AND C) OR D) AND E.

If you would like to change this order, for example to this:

((A AND B) AND C) OR (D AND E)

you can store the part of this filter as a named filter. In this case, D AND E can be stored as a named filter and used instead of in-place criteria.

Named filters

Use the "Save filter" button to save the currently edited filter. This filter will become available to select upon clicking on "Add saved filter" button.

Negating a criterion (logical NOT)

There is currently no negation supported. In order to negate a criterion, change the operation to the corresponding antipode: "contains" to "does not contain", "is" to "is not" and so on.

For more details on working with filters, please refer to the product reference guide, which can be found inside the product’s installation folder.