Search ParserSearch Parser
The Search Parser is a custom parser used to generate metadata by scanning for predefined keywords and regular expressions. The parser searches the payload of a reconstructed session for string matches and can execute a regular expression search. You can configure the parser by editing the search.ini file.
Caution: The search parser can have a significant impact on system performance. It is important that both the search mechanism and the data to which it is applied to be well understood before creating new search definitions and enabling the search parser.
The search definition is used across all protocols. There are three basic search methods:
- Keyword: Search a stream for a specific set of words
- Pattern: Search a stream for a regular expression match
- Keyword + Pattern: Search a stream for a regular expression if it contains any of a given set of keywords.
Search MethodsSearch Methods
The Search parser uses three basic search methods:
- Keyword: Search a stream for a specific set of words.
- Pattern: Search a stream for a regular expression match.
- Keyword+Pattern: Search a stream for a regular expression if it contains any of a given set of key words.
SyntaxSyntax
Maxrecon=<max_size>Maxsearch=<max_ssearch_length>MatchLimit=<max_matches_per_stream Search Name Services=<service_id_list>Keywords=<keyword_list>|Pattern=<expression>Case=0|1 Proximity=<number_of_bytes>Recon=0|1 Raw=0|1
ParametersParameters
Parameters used in this command:
Parameter | Description |
---|---|
autocheck | Automatically fixes all problems without prompting |
header Only | Check/display the header of each file |
chatty | Displays a hex dump of every object in the file (huge amount of data) |
dump#-# | Indicates a zero-based object or range of objects in the file to output in hex to the console |
ExampleExample
Following is an example of the command:
To check all NetWitness database files located in the Collection named Default. If any problems are found, the command will describe the problem and ask if you would like to fix it.
dbcheck C:\Documents and Settings\User\My Documents\NetWitness\ Investigations\Default\*.nw*