Once you have various artifacts extracted, you will most likely need to find the needle in a haystack. A typical case nowadays can contain hundreds of thousands and even millions of items, and to limit the number of artifacts to review, you will need use Belkasoft X filtering functionality.
You can filter almost any artifact list in Belkasoft X, such as artifact lists in Artifacts, Connection Graph, and maybe the most importantly (since it typically has the largest number of items) Timeline.
Note: Tasks window has its own mechanism of filtering. For more on that, see "Tasks" chapter.
Examples of useful filters you can create with Belkasoft X are:
- Filter visited URLs to see only social network links.
- Filter visited URLs to see only search engines links and used search terms.
- Filter pictures having geolocation properties.
- Filter pictures found inside documents (exclude pictures found as separate files or using carving).
- In Overview, filter chats originated from Skype accounts only.
- Filter pictures having faces, skin or scanned text inside.
- Filter emails having attachments or documents having embedded files.
- and many more other useful filters.
Creating a filter
There are two ways to create a filter. You could create a global filter (navigate to Creating a global filter to learn more) or filter a particular artifact list.
If you would like to create a local filter, click a funnel icon inside a column header to create a filter:
If you click on the selected funnel icon, a filter by Message column will be created
That will open Add a filter window:
On this window, you can see various criteria: Direction, From, To, Time (UTC) / Time (Local), Message, To, Data source, Profile name, Is deleted, Participants, Attachments. The set of available criteria depends on type of artifacts you decided to filter.
Click on any filter bar to configure corresponding criterion. On the screenshot, you can type a part of message you are looking for:
When you done with configuring criteria, click Apply button. The list will be filtered, and the applied filter will be highlighted:
Note the indicated Found amount is 93 while Shown is 1, because other items were filtered out.
If you select the From filter, you can select the senders to show messages from:
You can select all, none, or some of message senders using the leftmost checkbox column. In the Items count column you can see a total amount of messages from this sender. Finally, the From column shows the sender information.
Editing existing filter
You can edit existing filter by clicking the funnel icon again. This will open the same Add a filter window with the corresponding filter options. You can change values set for corresponding criterion or even add more criteria.
You can delete a particular filter by using Clear button in Add a filter window.
Resetting all filters
You can reset all filters by using Reset filters button in Add a filter window.