Overview of Search Types

Search Functions in ESI Analyst

To view ESI Analyst's various search types, select a project from your project dashboard and click on "Review Project Metadata."


While in Review Project Metadata, click on the word Search in the Filters box.


Search Fields

All searches identify hits from the body, subject, and attachments of messages.

Partial Words

For any search type, search hits can also show partial words.

Example: searching for the word "for" will show results such as for, format, and forsaken
Note: This behavior can be prevented by wrapping the word in quotes. 

Case Sensitivity

All search types are case insensitive. For example, if you type the word van, you will see search hits that show the word both capitalized and uncapitalized.
Note: To ensure the search is case sensitive, you can wrap the word in quotes.

Proximity Between Words

Proximity searches allow you to search for quoted words that may be separated by other words.

Example: "case files" ~5
This search will look for matches where the quoted words are within 5 words of each other.
Note: Full Query String also supports proximity using the following example: case /5 files

Wildcards

? - Question marks are used for single character wildcards. The question mark must be placed in the position of the letter that it will replace. For example, searching ba? will show results for bat, ban, bag, and bay.

* - Asterisks represent multi-character wildcards. Searching for wh* will show results such as wheel, while, and whatever.

Wildcards are not supported in quoted text or in the search type Has the Word or Phrase.
Also, wildcards cannot be mixed with fuzziness.

Special Characters

Special characters are not supported by Has the Word or Phrase and Start With/Ends With the Word searches.

Full Query String, Has Any of the Words (OR), and Has All of the Words (AND) support both single and multiple character wildcards.

The following characters can be used for single query searches (OR/AND) and full query searches: 
+      -      =
&     ~      !      *
?      :      ^      "
{ }      (  )      | |
\ /      > <      [ ]

| signifies OR operation
" wraps a number of words to signify a phrase
* at the end of a term signifies a wildcard search
( ) subsets of words or phrases strung together through AND or OR operators e.g. (wood OR water) AND (ground OR forest)
Parentheses are only supported in Full Query searches.
+word, a plus sign in front a word signifies that the word must be included.
-word, a minus sign in front of a word signifies that the word must not be included.
+ and - cannot be used with Has Any of the Words (OR), and Has All of the Words (AND)

Regular Expression searches support the following characters:
.       ?       +
*      |      { }
[ ]      ( )      "
\      #      @
&      < >      ~
Phrases can be wrapped within parentheses through quote marks.
Example: (laptop AND passwords) OR (Snapchat AND Facebook AND Gmail)

Wrapping Phrases in Quote Marks

Wildcards are not supported within quoted phrases.
Example: "confidential information"

Boolean Operators

The Boolean Operators OR and AND must be written between two or more words in capital letters.
Example:
Facebook OR Twitter
Snapchat AND Instagram

Boolean operators only work in the Full Query String, Has Any of the Words, and Has All of the Words searches.

Fuzziness

Fuzziness is supported by each search type. The feature is used for misspelled words or rearranging words (~N). The N represents a number.

~N after a word signifies the number of characters that a search result can vary by. The fuzziness can not be greater than five characters.
Example: missplleed ~5

Fuzziness is only supported in Full Query String, Has Any of the Words, and Has All of the Words searches.

Slop

~N after a phrase signifies the number of words that can seperate a quoted search phrase.
Example: "steal files"  ~3

Mixing fuzziness and wildcards is not supported.

Explanations for Each Search Type

    • Related Articles

    • Search Options Available in ESI Analyst

      Overview on Searching  For a general overview on navigation, search fields, case sensitivity, wildcards, fuzziness, and boolean operators: https://support.esianalyst.com/portal/en/kb/articles/search-functions-in-esi-analyst Has the Word or Phrase ...
    • ESI Analyst Frequently Asked Questions

      How should I format my Control Numbers? Control Numbers are important to all projects to have a consistent numbering scheme for data reference at the item level. It is best to have an idea on how your data is going to be represented in the system ...
    • Overview of ESI Analyst

      ESI Analyst is the application that manages all the imported data from ESI Desktop (UFDRs and PSTs) and ESI Sync (picture, audio, and PDF attachments). Through ESI Analyst, multiple forms of data can be reviewed, tagged, translated, and visually ...
    • Search Options for Geolocation Items

      Sometimes, it may be needed to search an address (or IP address locations) and see where an actor was on a certain date. If this data was loaded to ESI Analyst, it is searchable.  You can search geolocation items by device and address. You can also ...
    • How to Search for Emojis

      Searching for emojis is sometimes very important to an investigation. ESI Analyst provides this capability via our Search options. This search is only available in our Review Project Metadata list. When searching within the Review Project Metadata ...