To quickly find your file of interest search all files in a folder. You can also select the root folder in the File Tree view and make a search.

To search all files in a folder

1. Click the Tree button to open the file tree view.
2. Select a folder in the file tree view. You can also select a root folder.
3. In the ribbon, click the Find button.
4. Select what you are searching and type in the text box. You can choose to Include all subfolders.
5. Click Find All.

To get back to your search query, in the header click the button for your saved search.

1. In the file browser, select the file you want to analyze.
2. In the ribbon, click the magnifying glass or select Ctrl+F.
   • To browse through and to highlight found data segments in the Hex and ASCII columns, in the Find window, click the previous button and the next button .
   • To open a new tab that contains a list with all found data segments, in the Find window, click Find All.
   • To browse only in a selected data segment in the Hex and ASCII columns, select a start position in the Hex data column. To reset the start position, click Reset.

For information about how to bookmark specified data segments, see Bookmarks.

For information about how to define data segments as a new artifact properties, see New artifacts and artifact properties

1. In the Find window, in the Search for list, select Text.
2. In the text box, enter the character string you want to find.
3. In the Format list, select the character format you want to use, and then click any of the buttons that show search results.

1. In the Find window, in the Search for list, select Hex.
2. In the number box, enter the hexadecimal data you want to find, and then click any of the buttons that show search results.

Note: Do not enter spaces or the 0x prefix in the number box.

1. In the Find window, in the Search for list, select Find Strings.
2. In the Format list, select the character format you want to use, and then click any of the buttons that show search results.

Find segments that contain a variety of known file header signatures and automatically reconstruct and export image files to a folder on your computer.

1. In the Find window, in the Search for list, select File Signature.
2. Optionally, export the found JPG, GIF, PNG, WEBP, WAV, or AVI files. Select the Export to folder check box, and then click Browse. In the Browse for folder dialog box, browse to the folder you want to use, and then click OK.
3. Click any of the buttons that show search results.

Note: The endpoint of the reconstructed file is based on information in the file header about pixel size and bit depth. File fragmentation or flash storage auxiliary spare areas are not taken into account when the reconstructed file endpoint is calculated.

Tip: For decoded file systems on flash storage, searching for deleted files in the translation layer file subsystem often gives good results, because flash wear leveling and auxiliary spare areas will not have an effect on the files.

1. In the Find window, in the Search for list, select Reversed Nibble.
2. In the number box, enter the reversed hexadecimal nibble you want to find, and then click any of the buttons that show search results.

Tip: If you for example search for "36", you will find hexadecimal segments that contain "3X X6".

Tip: Reversed nibble search is of particular use for phone and IMSI numbers.

Note: Do not enter spaces or the 0x prefix in the number box.

1. In the Find window, in the Search for list, select Regex.
2. In the text box, using Regex syntax, type the character string you want to find.
3. If you want to use a greedy search algorithm, select the use greedy matching check box.
4. You can also select a start position in the Hex data column. To reset the start position, click Reset.
5. Click any of the buttons that show search results.
6. To save the Regex search, click the save or save as button.

For more information about Regular Expression syntax, visit www.boost.org.

For more information about greedy search algorithms, visit en.wikipedia.org/wiki/Greedy_algorithm.

You can create a list of words or characters that are of special interest, and then use the list to find segments that contain any of the items in the list. Separate each item with a row break, and save the list. This list will then be available to reuse in other investigations.

1. In the Find window, in the Search for list, select Dictionary.
2. In the Format list, select the character format you want to use.
3. Select the Use file option button, and then click Browse.
4. In the Open dialog box, browse to the file you want to use, and then click Open.
5. Click any of the buttons that show search results.

1. In the Find window, in the Search for list, select Dictionary.
2. In the Format list, select the character format you want to use.
3. Select the Use text box option button.
4. In the text box, separated with row breaks, enter the character strings or hexadecimal numbers you want to find.
5. Click any of the buttons that show search results.

1. In the Find window, in the Search for list, select timestamp.
2. Select the check boxes for the units of time you want to include in the specified timestamp.
3. In the number boxes, enter the time values you want to include in the specified timestamp.
4. Click any of the buttons that show search results.

Note: Timestamps use a 24 hour time format.

Note: Because of possible time zone issues, it is recommended to not include a specified hour when searching for timestamp data.