Searching

Searching possible on whole forensic image or, if a volume is selected within the volume only.

There a two types of searches : using bytes values or text representation.

The byte value search expect from the user a byte sequence in hexadecimal.  The text value search accept characters sequences in ASCII (1 byte long) or UNICODE (2 bytes long).

In case of bytes or UNICODE text searches Endianness can be specified.

It is possible to speed up the search process by specifying use of sector boundaries. In this case, the searched item are only searched at the begining of each sector or at a fixed bias relative from the sector start.

Examples :

NTFS volume boot records allways contains the « NTFS » ASCII sequence at offset 3.  The search can then be done using text search, checking « sector Boundaries » and set the « bias from sector » to 3.

Master boot records and most volume boot records usually ends with the 0x55AA bytes. These « last » sector bytes are located at offset 510 and 511 relatively to the sector start. Seeking a drive for such MBR or VBR becomes easy : the « sector Boundaries » option have to be checked and the « bias from sector » set to 510.

tyrhex © Yves Vandermeer  2015-2017   #tyrhex