iFilter integration and checksum search

Plug-in and third party software discussion.
Post Reply
commandline
Posts: 1
Joined: Mon Apr 05, 2021 8:58 am

iFilter integration and checksum search

Post by commandline » Mon Apr 05, 2021 9:07 am

VoidTools - Everything appears to be a sensible tool to consider for cyberforensics.

The only downside is the lack of content search, to this end i seek how to extend the functionality using iFilters.

Essentially the search functionality of everything will show up the kind of files we need to identify based on the filetype and/or extension or checksum value (md5/sha1/sha256) Only in a second step where files are already filtered searching contents makes sense.

To this end i hope to better understand how to enable ifilter for voidtools so i can search contents for selected files, this can be slower.

I hope to hear from you.

Thank you,

JL

void
Site Admin
Posts: 6531
Joined: Fri Oct 16, 2009 11:31 pm

Re: iFilter integration and checksum search

Post by void » Mon Apr 05, 2021 9:14 am

To search with ifilters, use the content: search function.

For example:

*.pdf dm:thisyear content:"text in file search"

Note: File content is not indexed. Searching file content will be very slow.
For the best performance, combine the content: search with other search filters.

Please try the Advanced Search under the search menu and set the "A word or phrase in the file" field.
For the best performance, set as many fields in the Advanced Search as possible.

horst.epp
Posts: 401
Joined: Fri Apr 04, 2014 3:24 pm

Re: iFilter integration and checksum search

Post by horst.epp » Mon Apr 05, 2021 9:21 am

I don't understand this discussion ?
The current Everything 1.5 alpha version has content indexing and uses IFilters for it.

therube
Posts: 2890
Joined: Thu Sep 03, 2009 6:48 pm

Re: iFilter integration and checksum search

Post by therube » Mon Apr 05, 2021 3:10 pm

You can add a column to display; MD5 SHA1 SHA512, or whatever.
(Right-click a column, Content -> SHA-1.)
If you keep that column outside of the current view, i.e., such that you have to scroll to the right to see it, it will (lazy) load the hashes, only as you bring them into view.

So if you search for Trains, then filter that search to Red Trains, then scroll to the right, the hashes for Red Trains will then display.

Alternatively...
Tools | Options | Indexes -> Properties -> Add... SHA-1

that will index all, or a subset of files (based on any filtering that you enter [in that dialog]).

Post Reply