Generate keyword lists from files that have been parsed. Make sure the keyword search term is unique to avoid sorting through too many false positives.

When attempting a keyword search of the entire device, the keyword search should be initiated from the device physical image (in Cellebrite Physical Analyzer) if present. When using Oxygen Forensic Detective, the “search within file content” selection should be chosen. Both Autopsy and Axiom allow for keyword lists to be added prior to and after image parsing is complete and also support individual keyword searching capability.

Search for keywords that conform to certain patterns by conducting a grep search across the entire device or a file or database of interest. In the example on the right, the entire physical image of the device is being searched for a Regular Expression that meets the following criteria:

any number, letter, or special character contained in the first set of brackets PLUS the @ symbol, followed by any number, letter, or special character contained in the second set of brackets, followed by a period [.] and ending in 3 letters (uppercase or lowercase).

[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[A-Za-z]{3}