Search Results window
Search Results is a top-level window, which shows the results of automatically performed predefined searches and cross-case searches, as well as user created searches.
If you do not see Search Results window, you can show it by clicking on Search Results main menu item.
Also Search Results window is shown when a search is completed:
Search Results window consists of three panes:
- Search history pane at the left
- Search results list in the middle
- Search result item properties at the right
Search history pane
The search history pane may have up to five nodes:
- Automatic searches. This node contains all predefined search results, whether run automatically (regular expression-based searches, which are performed whilst data source analysis) or by a user (using Predefined search option described above).
- Cross-case search. This node contains all matches between the current case and older cases during analysis. The following types of data can be searched: email addresses, phone numbers, application UINs, and profile names.
- Regular expression. This node contains all searches by regular expression. The search term is noted for each search performed.
- Word or phrase. This node contains all searches by a word or a phrase. The search term is noted for each search performed.
- Words from file. This node contains all searches by words from a file. The file name is noted for each search performed.
All nodes in this pane have a number in parentheses following the node name. This number indicates the amount of results of corresponding type.
You can create a report for any search session by right clicking on a node and selecting Create report… context menu item or clicking on Create report toolbar button.
Search results list
The search results list shows you all found artifacts for a search session, currently selected in the search history pane. This list has the following columns:
- Checkbox column. It works similarly to other lists and can be used to include multiple items to a report or do mass operations.
- Text. Displays the particular text where a search term was found. The term is highlighted with a bold font so you can see why the specific item is a search hit.
- Field name. This column makes it easy to understand inside which property of an artifact a search term was found; meaning, there could be multiple fields to search in. For example, a document can have text info in its body or metadata, a picture can have various EXIF tags with texts, an email can have email text and headers.
- Profile name. Displays the name of a profile where the artifact was originally extracted.
- Profile type. Indicates the type of a profile where the artifact was originally extracted.
- Source. Is a name of a data source where the artifact was originally extracted.
- Time (UTC) and Time (Local). Data timestamp of an artifact (if any). Typically, only one of these columns contain value.
This list works similarly to other artifact lists such as Artifacts: it has sorting, filtering, and reporting; however, it has one extra item in its context menu, namely Go to original item. This menu will navigate you to the corresponding profile and artifact inside Artifacts so that you can see the origin of the search result.
Depending on the artifact type, when you click on an item, Belkasoft X may display Item text and lightweight versions of the Hex Viewer and/or SQLite Viewer at the button of the window.
Search result item properties
The search result item properties work similarly to all other artifact property panes in the product, e.g. inside Artifacts window.
Cross-case search
Belkasoft X allows you to search for matches between the current case and older cases. The following types of data can be searched:
- Email addresses
- Phone numbers
- Application UINs and profile names
Run cross-case search
To enable cross-case search, switch on Run cross-case analysis option at the first General tab of Settings window:
See also:
Searching artifacts
Regular expression syntax
Automatic searches