+1 (650) 272-0384
Belkasoft X Help Contents

Searching artifacts

When extracting artifacts from your data source, Belkasoft X automatically indexes their text-based properties, such as text contents, dates, times, metadata, and so on. Indexing allows you to quickly search the artifacts using different criteria and narrow down the number of items to review.

Note: Do not confuse the search of profiles and the search inside artifact texts. Belkasoft X performs the search for application profiles when analyzing a data source and its main goal is to find all artifacts associated with a specific application. For instance, if Belkasoft X finds an Outlook mailbox, it extracts all its emails and attached documents along with texts and metadata for each of those items. Once the tool analyzes the mailbox and the documents in it, you can search for particular texts extracted from them.

To run search in artifacts, either press Ctrl-F or go to the Dashboard and under Actions, click Search artifacts.

The Search for indexed artifacts window displays:

The following search options are available:

  • Word or phrase. Select this option to find all data containing a certain word or phrase.
    • This search is not case sensitive.
    • This search is designed to find whole words or phrases. If you need to find artifacts by part of a word or phrase, use special search operators.

    Select the Treat as a regex checkbox if you want to search with a regular expression. Regular expressions (regex) help carry out complex searches. You can use them when you do not know exactly what you are looking for. For example, when you search for a credit card number but only know it partly. For more details on writing regular expressions, refer to the Regular expression syntax topic.

  • Words from file. Select this option if you want to run a bulk search. To do it, prepare a .txt file containing all keywords (words and phrases) of interest, one keyword per line, and then select it in the Words from file field. Keywords in the list can include special search operators.

    Select the Treat as a regex checkbox if you want to use a file containing a list of regular expressions.

  • Predefined search. Belkasoft X offers a set of searches based on predefined dictionaries, for example, adult sites, city names, disposable (one time) email addresses, steganography app names, and so on. Note that these searches are customizable; you can find them under the product folder (e.g. C:\Program Files\Belkasoft Evidence Center X\App\Resources\Search\) and adjust them as you need.

Note that Belkasoft X processes non-alphanumeric characters (% @ % ; : $ # ? ( ) / " ' _ - and others) as regular characters, so you can include them in the keywords. For example, if you search for "50%" or "C:\Windows\System32", the tool will search for the artifacts containing these exact text snippets.

At the bottom of the search window, you can see two drop-downs:

  • Select a data source. Here you can specify which data sources to search.

  • Select types to search in. Use it to specify which artifact types to look for, for example, to search in Documents and Downloads only.

When you click OK, the search task starts. You can view its progress in Belkasoft X’s Tasks window and find matched artifacts in the Search Results window.

A typical scenario entails searching all data sources and profiles and refining the results with the filters in the Search Results window.

Search operators

If it is not entirely clear what to look for, use special search operators.

  1. Wildcard operator, type an asterisk (*) in place of the world you're not sure about. It replaces zero or more characters.

    Example: win* Matching: win, wine, wineglass, etc.

    Example: *in* Matching: win, wine, skin, instagram, etc.

  2. Wildcard ? operator will replace any single character.

    Example: ?hat Matching: what, that, etc.

    Example: h?t Matching: hat, hot, etc.

  3. Fuzzy ~ operator. Find all terms with a maximum of two changes, where a change is the insertion, deletion or substitution of a single character, or transposition of two adjacent characters.

    Example: what~ Matching: what, that, hat, wat, etc.

All artifacts extracted by Belkasoft X (words, dates, documents content, passwords, etc.) are indexed. Thanks to indexing, the search is fast even if your case contains a huge amount of data. A list of all indexed artifacts is placed in the Key dictionary. You can create it from Dashboard actions.

See also:

Regular expression syntax
Search Results window
Automatic searches