Soon I will have to go out in the field and perform live forensics. I will have to perform keyword search and look for various documents.
I have a live Linux system on a USB stick with various utilities, including the latest version of Autopsy and I’m wondering how exactly does the keyword search works.
Time will be of an essence and thus I’m wondering how to approach this task. I intend to run the “Indexing and keyword search” module but I am wondering will it provide me with keyword hits from .docx and similar documents if I do not run the “Embedded file extractor” module beforehand?
Looking forward to your insight and thoughts on how to approache this task in the best possible way
…will it provide me with keyword hits from .docx and similar documents if I do not run the “Embedded file extractor” module beforehand?
Yes.
There are way too many unknowns to give you any useful feedback on overall approach. The only general feedback I can provide is probably obvious…test your planned methodology and configuration in a lab environment before doing it in the ‘field’.
To expand a bit on the previous answer - the Embedded File Extractor module most commonly extracts files from archives (.zip, .rar, etc) and images from documents (.docx and others). All of these extracted files are then processed by any ingest modules you have selected. So you don’t need to worry about order - just run all the ingest modules you need. And if you choose not to run the Embedded File Extractor module you’ll still be able to do run keyword search on the documents.
If you haven’t, I would suggest reading the help page on Keyword Search and practicing with it before you go into the field if at all possible. You can add some files and folders on your machine as a logical files data source to test how the searching works.
