The Search Parser is a custom parser used to generate metadata by scanning for predefined keywords and regular expressions. The parser searches the payload of a reconstructed session for string matches and can execute a regular expression search. You can configure the parser by editing the search.ini file.
The search definition is used across all protocols. There are three basic search methods:
- Keyword: Search a stream for a specific set of words
- Pattern: Search a stream for a regular expression match
- Keyword + Pattern: Search a stream for a regular expression if it contains any of a given set of keywords.
The Search parser uses three basic search methods:
- Keyword: Search a stream for a specific set of words.
- Pattern: Search a stream for a regular expression match.
- Keyword+Pattern: Search a stream for a regular expression if it contains any of a given set of key words.
Maxrecon=<max_size>Maxsearch=<max_ssearch_length>MatchLimit=<max_matches_per_stream Search Name Services=<service_id_list>Keywords=<keyword_list>|Pattern=<expression>Case=0|1 Proximity=<number_of_bytes>Recon=0|1 Raw=0|1
Parameters used in this command:
|autocheck||Automatically fixes all problems without prompting|
|header Only||Check/display the header of each file|
|chatty||Displays a hex dump of every object in the file (huge amount of data)|
|dump#-#||Indicates a zero-based object or range of objects in the file to output in hex to the console|
Following is an example of the command:
To check all NetWitness database files located in the Collection named Default. If any problems are found, the command will describe the problem and ask if you would like to fix it.
dbcheck C:\Documents and Settings\User\My Documents\NetWitness\ Investigations\Default\*.nw*