When you’re searching for anything (and let’s face it, it’s normally a set of keys isn’t it?!), it always helps to know what you’re looking for. That sounds pretty obvious but it’s very relevant for forensic examiners searching large volumes of data. For example, finding SMS messages in a hex dump of some Samsung handsets is a whole lot easier once you know that the keyword “DEADBEEF” appears within the memory dump in between SMS messages. Suddenly, finding deleted text messages got a whole lot easier!!
One question which often crops up during training courses and conference presentations is, “Where can I go to find out what these search terms and keywords are?”. Up until now, there hasn’t been a good answer to that question which is why we are now providing a page on the Control-F website to help people like yourselves find evidence more quickly.
The new page provides information on key types of data that you might want to search a memory dump for (e.g. ICCIDs, MMS messages etc.) along with different encoding schemes that we’ve encountered and search terms or regular expressions to save you time.
We hope that you find it useful and would love to hear your feedback (and receive contributions!). We use Gary Kessler’s file signature page all of the time and if this page becomes half as useful, we’ll be delighted.