Decoder: search.ini Search String Syntax

Document created by RSA Information Design and Development on Apr 21, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic introduces search methods and syntax for use in Search parser. 

The Search parser uses three basic search methods:

  • Keyword: Search a stream for a specific set of words.
  • Pattern: Search a stream for a regular expression match.
  • Keyword+Pattern: Search a stream for a regular expression if it contains any of a given set of key words.

Syntax

Maxrecon=<max_size>Maxsearch=<max_ssearch_length>MatchLimit=<max_matches_per_stream Search Name Services=<service_id_list>Keywords=<keyword_list>|Pattern=<expression>Case=0|1 Proximity=<number_of_bytes>Recon=0|1 Raw=0|1 

Parameters

Parameters used in this command:
 

                         
ParameterDescription
autocheckAutomatically fixes all problems without prompting
header OnlyCheck/display the header of each file
chattyDisplays a hex dump of every object in the file (huge amount of data)
dump#-#Indicates a zero-based object or range of objects in the file to output in hex to the console

Example

Following is an example of the command:

To check all NetWitness database files located in the Collection named Default. If any problems are found, the command will describe the problem and ask if you would like to fix it.

dbcheck C:\Documents and Settings\User\My Documents\NetWitness\ Investigations\Default\*.nw*
You are here: References > Services Config View - Files Tab > Search Parser > search.ini Search String Syntax

Attachments

    Outcomes