Hi. I would like to be able to use the Keyword Search feature in Autopsy to be able to search for strings of data that match a pattern, rather than an explicit value. A specific example of what I am looking for would be the ability to keyword search across a forensic image for any strings of data that match the pattern of a U.S. Social Security Number (i.e. a pattern integers where they are typed as 3 digits, a hyphen, 2 digits, a hyphen, and 4 digits; and example would be * * * - * * - * * * * ). This would allow me to discover instances where this type of information exists on an image (for cases where this type of information should not be present in a storage device). I wonder whether this might not already be possible, simply by properly formatting the keyword, but I cannot seem to find any documentation that would clarify whether or not this is possible, nor if so, how. I look forward to the prospect of this becoming a feature in the future. Thanks!
This feature already exists. You can configure a keyword list with a keyword that is a regular expression and run the keyword search ingest module with this list selected:
You can also choose to do an “ad hoc” search outside of ingest using the list or a regex defined on the fly:
Please consult http://sleuthkit.org/autopsy/docs/user-docs/4.11.0/ad_hoc_keyword_search_page.html#ad_hoc_kw_types_section for details on regular expression syntax.