Search for key words in image file or disk (Indexed Mode)

Beginning with ProDiscover 6.0 users have two high-level approaches to search. The original raw search which essentially scans the disk in cluster mode or content mode for keywords. When using a raw search users have a group of features allowing them to fine tune the search such as Boolean Logic, Basic Pattern Matching, and Regular Expression syntax listed below. While raw searches can be very effective, they can become quite time consuming when repetitive searching is needed. In ProDiscover's indexed based search users have the ability to create an index of a directly attached disk or image then conduct repetitive searches with results returning in seconds rather than hours. Using the pre-indexed based search approach users spend the time to create the index up front only once, then they can search over and over without any added time.

Indexed mode searches are conducted almost exactly as raw mode searches with two exceptions; first the users will select "Index Search" in the search type drop-down box of the search dialog box, and second the Index must have been prepaid prior to conducting the search. Indexed searches can be created for all searchable items with the exception of cluster searches. This means users can create indexes for any physical disk, partition or folder, and any of the processed information such as Internet History, Event Logs, Registry, and Email.  

Before creating an index for a project's data, users should ensure the proper settings are created in the user preferences dialog box "Search Index" tab as seen below.

 

 

Default Thesaurus and Noise files are provides and linked in the <ProDiscover installation>\Index directory.  

A thesaurus file contains a list of synonyms the search engine can use to find matches for particular words if the words themselves don't appear in documents. For example, users may want to relate the word run with the word jog in the thesaurus configuration file. If the words were related then a search for the word "run" might return results that contain either the words "run" or "jog". An example thesaurus.txt file is included and is formatted as follows:

 

Word1,synonym1,synonym2, ...

Word2,synonym2,synonym2, ...

Word3,synonym3,synonym3, ...

...

Given the format above to create a synonym for Run the entry would be: run,jog

 

The noise file contains noise words sometimes referred to as stop words. These are conjunctions, prepositions and other words such as AND, TO and A that appear often in documents yet alone may contain little meaning. A basic noise.txt file is included in the installation and is formatted simply as an ASCII text file with one noise word per line.

The indexing path identifies where ProDiscover will place each index for the Content, Internet History, Registry, Event Logs, or Email.

 

 

ProDiscover will create a unique folder under the "indexing path" location to place each individual item index. The unique location will be a folder named as the current project name.

Another important setting found in the user preferences "Search index" tab is to choose which files will be added to the index. If a file is not added to the index during creation, then any subsequent searches of that index will not return the file. By default ProDiscover is configured to index "All indexable files" This means that during the indexing process ProDiscover will scan every file and any file containing readable ASCII or UNICODE data will be indexed. This process is more time consuming, but also more through. Users are also given the option to index files only for given file extensions. This option is useful for users who only wish to find search terms in specific office documents.

Once the user is satisfied with the user preference settings, they need to choose which items they want to add to an index. Choosing to index a complete physical disk can be easily accomplished by choosing Create Search Index from the Action menu. The user only needs highlight the desired physical disk and click the > symbol.

 

 

Users who wish to choose specifically processed information from the registry, event logs, internet history, email, or specific partitions or folders can populate the "Available Disk(s)/Folders:" selection box by right-clicking on the desired item in ProDiscover's tree-view and choose "Add to indexing list".

 

 

Once the all desired items have been added via the right-click action, users can then choose "Create search index" from the Action menu, then move the items over to the "Selected Disk(s)/Folders:" list and choose "Start Indexing" to begin the indexing process.

 

 

Once the indexing is complete users can then choose the Indexed Search type for any item added in the standard search dialog box. While indexing can take some time on large data sets, the ability to search over and over refining searches against the index later is a great time saver.