Thursday, 15 February 2018 16:34

Keyword Lists.  Lazy way or good technique? Featured

Written by

It is not lazy to use keyword lists . In fact, keyword lists can be an effective means to find evidence if and when they are used appropriately.  When used haphazardly (ie: without a plan or goal), you most likely will be wasting time by creating more work than you would have otherwise and not accomplish what you wanted in the first place.  With keyword searches, not having a plan or goal, and throwing keyword searches at data is a lazy method that results in doing  more labor  to review the results. Don't do that.  We want to make it easier, not harder, to find evidence.  By the way, not every case needs keyword searches.  It depends on the type of case.

Most digital forensics suites have keyword search capabilities built in.  Simply type a list of keywords or import a text file, click Search , and away you go!  Your DFIR tool will run through everything that you selected, find the data that contains your keywords, and lay them out for you to manually review.  Cool, right?  Well….there is one drawback: too many hits to manually review.

The factors to consider to limit the number of hits to review depend on what you are looking for ( generic or specific keywords ), the amount of different targets ( number of keywords ), the source ( size of source data ), and the file type (file format: system or user files ) that you need to search.  Even when your targeted keyword has been found, you still need to see the keyword in context of where you found it, because context is everything.  One tip in using keywords is to consider using GREP searches (Regular Expressions) to find your keyword in specific locations such as, <KEYWORD near ANOTHER KEYWORD>, or a keyword in a specific format like <SOCIAL SECURITY NUMBER FORMAT>.

         

 

I started uploading keyword lists to dfir.training in hopes of having some community feedback with your keyword lists as submissions to add. 

I know you have some… don’t keep them to yourself.  Share with the community and the community will benefit as a whole.  Be a part of contributing to the greater good because we (as in you) benefit greatly when we share to improve our profession.

Last modified on Thursday, 15 February 2018 16:55

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.