VI. Filters

Owned by Zachary Maiorana
Last updated: Sept 04, 2024
2 min read

One of the strongest FTK features is the ability to filter file lists by file metadata using Boolean operators. Use the filter manager dialog to apply, create, import, export, and delete filters. Filters are best used for large file lists with more than a few dozen files. Filters can quickly reduce large file lists of hundreds of thousands of items.

Three filters are commonly used for processing large file lists including many disks or entire hard drives. _SCL-Basic and _SCL-UnknownFiles are custom filters to remove system files, file slack, and unknown file types. Add these filters to the “Exclude” list. The third filter, No Duplicates, removes any items flagged as duplicate items in FTK. Add No Duplicates to the “Include” list.

Contents

Contents

Filter manager

The Filter manager can be used to apply any compound formation of filters to the file list. Using the filter dialog, a user can create, edit, duplicate, export, and import filters. Use the arrow buttons to move filters to the “Include” and “Exclude” lists. The “Include” and “Exclude” lists can be programmed to interpret the filters as “AND” Boolean, where only files where all filters are true will be shown, or “OR” Boolean, where files meeting any filter will be affected.

editing-filter-dialog.jpg
Figure 1. The Filter Manager dialog.

Filter definition

The most precise filter work must be performed in the filter definition dialog. By clicking “Define…” in the filter manager, the filter definition dialog opens regarding the selected filter. Add properties, operators, and criteria to control the rules for the given filter. A filter can include as many or as few rules as needed. Check or uncheck rules to activate or deactivate their conditions.

Figure 2. Filter Definition dialog for the  _SCL-Basic filter.

Given the breadth of indexed metadata fields in FTK, filtering can be highly precise and powerful. The below example uses the file list from the Overview tab containing all files in a case with more than a hundred thousand files. Using filters to strip duplicates, remove unnecessary system files, and select only JPEG EXIF images produced in the United States, the filtered product shows 79 files that are photographs created in the United States.

Figure 3. The filter manager dialog in this example shows the configured filters. The Filter Defintion dialog shows the rules configured for the USA filter.

Figure 4. The above filters applied to all items in the case. Note that the total file count of 119,140 in the Case Overview tree has been reduced to 79. Note also that applying filters changes the color of the file list to yellow.

Figure 5. In the filter bar, use the funnel icon to enable and disable filters temporarily.

 

 

 

Copyright © 2024 The President and Fellows of Harvard College * Accessibility * Support * Request Access * Terms of Use