Foresee is the most powerful existing tool for forensic search.
This tool provides more than simple words searching, but smart multilingual pattern recognizing, even in the cases when pattern is stored in some exotic format and you have no tool to view this file/free area as text and read it.
Potentially, Foresee can search in any block-based or streamed data. This makes implemented algorithms and technology source-independent and allows using them in any kind of business.
Several built-in data viewers are supplied too, it means that user can read office documents, mails and so on without installing any additional software, this avoid spending a lot of time for searching and installing large and expensive applications and training personal for only reading of searchable materials. Foresee has simple and user-friendly interface that makes using the application by even non-computer professionals without any difficulty. Many language and language-based plug-ins are under development now, so customers can choose only necessary plug-ins for their Foresee systems. Foresee allows performing of fine tuning of searches, exporting found data into separate directories, generating HTML reports, multiple CPU usage and a lot of other useful features. Let's go over common features description.
Project types and search parameters.
Users can search in files and free areas of healthy volumes, formatted as FATx or NTFS. For first stage of "Quick & Dirty" search users can use the Simple search project type, and manually define include/exclude directories, file masks and times. This type of search allows finding all patterns in all accessible files (depended on file masks and times) among the folders (defined during creation/modification of search project). Also, users may decide to search inside archived files, this possibility is realized by using WinRAR, installed on the customer computer, all types of files WinRAR can open are searchable by Foresee.
Another type of project: Advanced search. In this case all files of the volume will be searched and also all unused clusters and file slacks will be searched too. If volume was formatted as NTFS, Foresee will try to decompress free clusters using NTFS compression algorithms for finding inside deleted compressed files.
Foresee allows to user write its own set of rules how to search in files, called script. Actually, it is simple enumeration of these rules. Each rule consists of the word, called pattern.
Users can put brackets in their rules and three logical operators are supported: and, or and not. It is not more complicated then using well known internet search engines. Here is example of simple script, which even doesn't need detailed description:
'Hello' or 'forward' or 'declaration' or 'transfer' or ('@mitsy.com' and '@microsoft.com')
To avoid false alarms Foresee provides false filters, which determinate the hits actuality in the own way, and settings of word delimiters, which checks, that the whole word or its part should be found. If the users are not familiar with script writing they can use Script wizard to import pattern-words from Microsoft Office Excel, Microsoft Office Word or input words manually.
Naturally, search patterns (words) may be written in different languages.
Foresee supports virtually unlimited set of languages. The search abilities to search in specific language are implemented as plug-ins, so each user can choose between several sets of language plug-ins according to locale of searchable material.
Each language plug-in contains data about different formats of storing text information in the same language, for example: Windows/Unicode/EBCDIC…, user may manually select the formats he is going to use in the specific search project. Also any language-based plug-ins are supported, for example dates search plug-in. With these plug-in users can search dates in any format based on installed language plug-ins: "12 Jan 2003", "January 12, 2003", "01/12/2003" – English-based patterns; "03 לינואר 12", "2003 ינואר 12" – Hebrew-based patterns.
The search results viewing and analyzing are available immediately after the file (free area) was searched. Found results AKA hits are grouped by search unit (file, free area), detailed hits list with pattern offsets are provided also. User can review the entries into several ways (as text or HEX) by double clicking the hit. Adaptive text viewer displays any type of data as text, which allows determination of text patterns inside complex data formats were text and binary data are stored mixed. User can write and store remarks, associated with every hit separately; each remark contains user name, time and additional free text message.
The results can be saved as Foresee search project file or exported into HTML report. The files (free areas) also can be copied into separate directory for future usage. During free areas/slacks exporting users can choose between storing these areas "as is" like raw data, or creating text files, containing adaptive text or HEX view of the exporting areas.
The purpose of this White Paper is to present details of Foresee application, to produce the general effect of simplicity of using Foresee and achievement power of Foresee search engine.
We walked though the all common stages of Foresee usage. We begun from determining of search project types, where user defines searchable areas and file filters; then we looked into Foresee script writing and examined the script creating methods. Next, we checked the possibilities of multilanguage support and made sure that Foresee's language and language-based plug-ins is advanced forensic feature that allows searching complex patterns as easily as simple words. Finally, we explored Foresee results viewing facilities and clarified that we can see lists of files and free areas, where the patterns were found called hits, explore each hit entry, view as text or HEX found file/free space area, export found hits etc.
Based on all this information naturally to maintain that Foresee provides state of art search technologies allowing find any data with the only condition: data should be present on a disk