Search Criteria





The Search Criteria page is used to input all of your desired search criteria in which to perform a search. The criteria page is broken down into two different tabs and two different categories.

Document Search Tab

Use the document search tab to search across all documents including loose files, email and attachments.

Email Search Tab

Use the email search tab to search email-only contents (msg, eml, emlx). Five additional fields are available when using this tab including to, from, cc, bcc and subject line.

Service

Any endpoint may stand alone or be grouped together with other endpoints. Previously created group names will be displayed in the endpoint drop-down list. New groups may be created or edited using the gear icon at the end of the drop-down list. See Managing Groups

Content

Keywords may consist of a single word or a group of words. Previously created keyword groups can be found in the drop-down list where they can be selected. See Managing Keywords




File

File Name 

You may search by any specific file name or groups of names. Previously created keyword groups can be found in the drop-down list where they can be selected. Once a group name is created you can add individual file names or import a text file containing a list of file names.

File names must contain file extension

Example: filename.pdf

See Managing Groups

File Owner

During the index phase, Interrogate automatically creates a list of all available file owners. All available file owners will show in the available grid. Previously created file owner groups can be found in the drop-down list where they can be selected.

Hash

A file hash is similar to a human fingerprint. It is a unique identification for each file on a system. Interrogate accepts MD-5 or SHA-1 input values. Interrogate is pre-populated with an extensive list of known Malware Indicators of Compromise which may be selected in the drop-down list. All pre-populated IOC's contain valid MD-5 or SHA-1 hash values. You may create your own Hash groups by inputting valid MD-5 or SHA-1 values. You may also import text based files containing your desired hash values.


Extension

You may search any endpoint for files with specific extensions. Previously created extension groups can be found in the drop-down list where they can be selected.  Interrogate is pre-populated with over 3000 file extensions in which to search and select from. You will find your extension list once you create and name an extension group.






File Path

You may enter a file path in order to search in a specified file location. This function is useful for explicit file paths on individual endpoints or file shares. Note: Different operating systems use different file path slashes, however Heureka's file path search will work with either a forward or backward slash "/ or \". Currently you can only enter one path in the File Path line. 

File Path Example: You would like to search the desktop folder named "Documents" on Roger's Windows computer (See example at right)
File Path: C:\Users\roger\Desktop\Documents


Folder Path

If you intentionally leave subfolders off of your file path, all folders and subfolder content will be returned in your search. For example, if there was a subfolder called "Sensitive" within Roger's documents folder, its contents as well as any others will be returned in your search results.


Date

Start Date

You may select a beginning date to help narrow your results. You may type your beginning date or use the built-in calendar from which to select. 

End Date

You may select an end date to help narrow your results. You may type your end date or use the built-in calendar from which to select.


Patterns (Tags)

During the index phase the endpoint service automatically identifies social security and major credit card content. The patterns quick filters section enables you to filter directly to a specific type of pattern and return only the information requested. For example, if you only wanted the system to return credit card information you would select your normal criteria and then check the "Credit Cards" checkbox in the pattern drop-down list. Only matched criteria containing credit cards will be returned during the search.


Tags - File Exceptions

Each endpoint indexer may run into certain errors or exceptions during the indexing process. When this happens, the indexer automatically creates an "exception tag" for the file with the error or exception. To create an exception report, you may use the Tags > File Exceptions checkboxes to search for only those files containing the exceptions. 

There are two specific exception tags that may be interesting to the average user. First, the ENCRYPTED flag will help you identify only those files that are encrypted or password protected on each endpoint. This allows you to make decisions around how you would like to handle these types of files. For users in the Legal/E-Discovery space, you may want to collect these files for offline password cracking.

The second exception tag is IMAGE-ONLY PDF. If the indexer discovers a PDF file that is an image, it will automatically tag it on the endpoint. For users who may want to perform an offline OCR of image-based PDF, use the image-only pdf exception tag to search for the files and then collect and move to an OCR platform.


Tags - User Defined

Tag groups can be created by the user which contains any manually input tag as well as any tag that has been imported via the tag library. Tag groups work exactly as all other groupings in the search criteria page.

Deleted Files

During each index phase, the endpoint service keeps track of files that have been deleted on each endpoint. In order to be flagged as deleted in the system, a file must actually be deleted from the recycle or trash bin. Files that remain in the recycle or trash bin will be identified as such in the local file path column on the results grid. 

By default, deleted files are NOT returned on each search. You must specifically select the deleted files flag in Quick Filters in order to view deleted files.

If selected, deleted files will show a deleted flag on the results page.Â