This week’s Tip Tuesdays session focuses on keyword searching in Physical Analyzer and how to use it to recover more artifacts.

Go to the top right in Physical Analyzer. I search for the word “gear” and press Show All. Under Advanced search, you can search for “gear, head” and it will show you either of those terms.

To search for “gear” and “head”, type “gear, head” in All of these terms.

If I wanted to search for “gear, head” but did not want the word “Ultima”, then I type “Ultima” in None of these terms.

You can also use Search file contents. This is very important because it searches within files that are possibly not parsed by Physical Analyzer.

In an XML file, you can search within the file for a specific word, or you can search within the File format viewer. But you can also do HEX searches in every single file of interest. Type in a word and it will highlight your result.

You can also do this across the entire file system. If you’re searching for locations, I search “position” and “location” because a lot of artifacts and applications will say “current location”, “current position”, “last position”, “last location”.

It’s most likely going to give you thousands of hits because all these applications will use it. But all these hits will be shown to you at the bottom of the page.

Watch the full episode to learn more.

Share this post