| View previous topic :: View next topic |
| Author |
Message |
forensic42
Newbie
Joined: Feb 01, 2010
Posts: 3
|
 Posted: Tue Feb 02, 2010 6:46 am Post subject: EnCase Grep Expression |
 |
|
| All - I am trying to create a Grep Expression within EnCase to pick up Keyword1 and Keyword2. For example, my keyword is computer forensics. However, I don't want computer and I don't want forensics. I only want the hits where computer and forensics are both within the same file. Also, the same two words only need to be in the same file - not within one word of each other, etc. Any suggestions would be greatly appreciated! |
|
| Back to top |
|
 |
PreferredUser
Newbie
Joined: Jan 01, 2007
Posts: 651
Location: Midwest, USA
|
| Posted: Tue Feb 02, 2010 7:27 am Post subject: |
|
|
| What have you tried that does not seem to be working? |
|
| Back to top |
|
|
forensic42
Newbie
Joined: Feb 01, 2010
Posts: 3
|
| Posted: Tue Feb 02, 2010 7:48 am Post subject: |
|
|
After doing some research I tried:
keyword1 +keyword2 - which is supposed to find keyword1 followed by any number of spaces then keyword2. However in my testing it is only doing keyword1 (space) keyword2 (i.e. computer +forensics = computer forensics). I need it to be anywhere within the file and this is not picking up on those scenarios.
I think it has to be something like keyword1 (some number of spaces) then keyword2. Just missing the middle (most vital) part. |
|
| Back to top |
|
|
PreferredUser
Newbie
Joined: Jan 01, 2007
Posts: 651
Location: Midwest, USA
|
| Posted: Tue Feb 02, 2010 9:02 am Post subject: |
|
|
| forensic42 wrote: | After doing some research I tried:
keyword1 +keyword2 |
Which should work.
Try: keyword.otherword
Which should give you keyword followed by any character followed by otherword. The period matches any character. |
|
| Back to top |
|
|
athulin
Newbie
Joined: Oct 19, 2007
Posts: 108
|
| Posted: Tue Feb 02, 2010 7:25 pm Post subject: |
|
|
| forensic42 wrote: | | I think it has to be something like keyword1 (some number of spaces) then keyword2. Just missing the middle (most vital) part. |
EnCase is not known for doing grep expressions particularly well. You don't say what version you are using, so you may be running into known bugs -- I remember one version that tried to optimize grep expressions, but failed for some moderately complex cases. EnCase support should be able to tell you if you are, though.
I think there also is (or perhaps was) a restriction of 512 characters in any expanded pattern expression -- you couldn't match strings larger than 512 bytes.
I've given up on EnCase and grep (I can't rely on my knowledge of Unix grep to work), and generally use the other search alternatives, or even indexing of selected subsets of files. If I do need grep, I export the relevant files so that I can use a trusted grep. |
|
| Back to top |
|
|
forensic42
Newbie
Joined: Feb 01, 2010
Posts: 3
|
| Posted: Wed Feb 03, 2010 12:23 am Post subject: |
|
|
| keyword1 +keyword2 as well as keyword1.keyword2 only produce a hit on one of my test files. I had a set of 4 test files, 2 of which contained the keyword1 and keyword2 and the other 2 only contained keyword1. It could be that it is outside of the 512 char limit - I'll have to check. I also will follow up with Guidance to see if I am running into a version containing bugs. Thanks for the suggestions. |
|
| Back to top |
|
|
oxsin
Newbie
Joined: Jun 24, 2010
Posts: 1
|
| Posted: Fri Jun 25, 2010 11:47 am Post subject: using grep |
|
|
use grep for following
eg. i'm searchcing for 2 words.....computer+forensics
computer.{0,254}forensics
where 0 is the minimum charecter space between the first word and 254 is the max. 254 is the max you can use in a grep search. |
|
| Back to top |
|
|
|
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
