Filtering by keywords

Filter by keyword list

If you added keywords or keyword lists to your search in AXIOM Process, those lists and keywords appear as filtering options in AXIOM Examine. To refine your results even further, you can stack keywords or keyword lists. For information about adding keyword lists, see Adding keywords to a search.

The Keyword list filter is available in the Artifacts explorer.

  1. In AXIOM Examine, on the Filters bar, click Keyword lists.
  2. Select the keywords or keyword lists you want to filter on.
  3. Click Okay.

Import a keyword list

You can import a list of keywords, and then filter your evidence using those keywords.

  1. In AXIOM Examine, on the Filters bar, click Keyword lists.
  2. Click Add keywords.
  3. In the window that appears, select the type of keyword search you want to perform, then click Go to keyword list selection.
  4. Under Add keyword list files, click Add keyword list.
  5. Browse to the keyword list you want to import.
  6. Click Open.
  7. Click Go to keyword configuration.
  8. Configure how you want to process the keywords you have added, then click Analyze evidence.

Search by keyword

You can search the evidence using keywords or search terms to only show the items that contain those keywords. You can type a keyword that acts as a filter on the evidence. Keywords can include letters, numbers, or both letters and numbers. When a match occurs, AXIOM Examine highlights the matching text in Evidence and in Details.

You can search for keywords in the Artifacts explorer, the File system explorer, and Registry explorer.

  • In the Artifacts explorer, AXIOM Examine searches all fragments (except for date and time fragments), and content of media and documents for the keyword.
  • In the File system explorer, AXIOM Examine searches only within an item's file path for keyword matches—it doesn't search the contents of the file.
  • In the Registry explorer, you can complete an advanced search by keys, values, and data and specify to match the whole string or match case.

You can search for keywords in the Artifacts explorer:

In the Artifacts explorer, AXIOM Examine searches all fragments (except for date and time fragments), and content of media and documents for the keyword.

To search by keyword, do the following:

  1. In AXIOM Examine, on the Filters bar search box, provide the keyword you want to filter on.
  2. Click Go.

Search by keyword using advanced search options

When you search the evidence in the Artifacts explorer using an advanced keyword search, you can search using multiple words or search terms and choose whether you want to see results for all (and "AND" search) or any (and "OR" search) of the search terms. For each keyword that you specify, you can choose to show only the items that include or exclude that word. You can further specify if you want to search for the whole word only, match the case, and search for the term if it appears near another word or set of characters..

To search by keyword using advanced search options in the Artifacts explorer, do the following:

  1. In AXIOM Examine, on the Filters bar, click Advanced.
  2. Select the Search terms option.
  3. In the Search by term section, select whether you want to include or exclude the search term, and then provide the keyword you want to filter on.
  4. To search for the term if it appears near another word or set of characters, select Is located near another term and provide the details for the secondary term.
  5. To search for the whole word rather than partial instances, select Find whole word only.
  6. To search for instances of the word with the same letter case, select Match case.
  7. To add another search term, click Add another term. Choose whether you want to see results for all or any of the search terms, and then complete Steps 3-6.
  8. Optionally, select the Exclude source path in search option.
  9. Click Search.

Search by regular expression

Search by regular expression (regex) to narrow your search results. AXIOM Examine supports the .NET regex format.

  1. In AXIOM Examine, on the Filters bar, click Advanced.
  2. Select the Regex pattern matching option.
  3. In the Regex field, provide the regular expression you want to filter on.
  4. Optionally, select the Exclude source path in search option.
  5. Click Search.

Search by keyword snippet

You can filter by keyword snippets to see all of the evidence—not just artifacts—that contains a specific keyword. If you turned on keyword search for all content when you set up your case in AXIOM Process, any keyword with a result appears in Keyword snippets. To provide additional context, the keyword snippet includes the 50 bytes that appear before and after the keyword. For more detailed information about a specific keyword result, click the source link to go to the original file.

  1. In the Artifacts explorer, under expand the Keyword snippets artifact category.
  2. Click the keyword that you want to refine your results with.