+1 (650) 272-0384
Belkasoft X Help Contents

Searching artifacts

Once you have artifacts extracted, you may want to do a search using different criteria. Along with filtering, search allows you to narrow number of items to review. Belkasoft X automatically indexes all text-based properties of artifacts, such as their texts, dates and times, metadata, and so forth. So, running a search query against extracted artifacts data is a quick process.

Note: Do not confuse the search of profiles and the search inside artifact texts. Search for application profiles is performed during analysis of a data source and the main goal is to find all artifacts for a specific application. For instance, Belkasoft X will find an Outlook mailbox (and will extract all emails) and 1000 documents (and will extract texts and metadata for every one of those items). Once that mailbox and the documents within are analyzed, you can search for particular texts extracted from them.

To run search in artifacts, you can either press Ctrl-F key combination or go to the Dashboard and choose Search artifacts item of the Actions list.

Search data window will be shown:

The following search options are available:

  • Word or phrase. Choose this option to find all data containing a certain word or phrase.
    • This search is not case sensitive.
    • This search is carried out by exact match of the whole word. If you need to find artifacts by part of a word, use the * symbol.

    Check the Treat as a regex checkbox if you would like to use a regular expression. Regular expression is a powerful mechanism to perform complicated searches. You can choose this option when you do not know exactly what you are looking for, for example, while searching for emails or credit cards when you do not yet know the exact email address or card number. More details about the syntax of writing regular expressions will be discussed below.

  • Words from file. Choose this option when you have a keyword file containing all words of interest. Having such a file saves a lot of time if you have numerous words in which you need to search—all the keywords can be searched for in a single search operation.

    Check Treat as a regex checkbox if you would like to use a file containing a list of regular expressions.

  • Predefined search. Belkasoft X offers you a set of predefined searches based on vocabulary, for example, adult sites, city names, disposable (one time) email addresses, steganography app names, and so on. Note that these searches are customizable: you can find them under the product folder (e.g. C:\Program Files\Belkasoft Evidence Center X\Resources\Search\Names\AmericanNames.txt") and edit them as you need.

At the bottom of this window, you can see two drop downs:

  • Select data source. Here you can specify which data sources to search in

  • Select types to search in. Here you can specify which artifact types to look for, for example, to perform search in Documents and Downloads only

Both panes have root checkboxes helping you to do mass selection operations.

Typically, one performs a search inside all data sources and profiles, because it is better to find all the results and only then to filter those using filters inside Search Results window.

When you click on OK button, the search task will start and be shown in Belkasoft X’s Tasks window.

If it is not entirely clear what to look for, use special search operators.

  1. Wildcard operator, type an asterisk (*) in place of the world you're not sure about. It replaces zero or more characters.

    Example: win* Matching: win, wine, wineglass, etc.

    Example: *in* Matching: win, wine, skin, instagram, etc.

  2. Wildcard ? operator will replace any single character.

    Example: ?hat Matching: what, that, etc.

    Example: h?t Matching: hat, hot, etc.

  3. Fuzzy ~ operator. Find all terms with a maximum of two changes, where a change is the insertion, deletion or substitution of a single character, or transposition of two adjacent characters.

    Example: what~ Matching: what, that, hat, wat, etc.

To speed up the search, all found artifacts (words, dates, documents content, passwords, etc.) are indexed. Due to this, the search even on huge amounts of data is fast. A list of all indexed artifacts is placed in the Key dictionary. It can be created from Dashboard actions.

Almost all non-alphanumeric characters are delimiters. The exceptions are @, underscore _, and dots. If the artifact contains a delimiter, after indexing, it will be split into two indexed words before and after the delimiter.

List of delimiters: ; : $ # ₽_ & ? ( ) { } [ ] | \ / " ' ! < > % + ~ & *

Example: Drugs+Guns Matching in key dictionary: drugs, guns

  • search by Drugs+Guns return 0 matches
  • search by drugs or guns reveals this example
Example Matching in key dictionary
"SD500" "SD", "500"
"//hello---there, dude" "hello", "there", "dude"
"O'Neil's" "O", "Neil"

See also:

Regular expression syntax
Search Results window
Automatic searches