Boolean combinations

Multiple query terms can be strung together by using simple Boolean operators to create highly targeted query strings. Properly formed, these query strings can return results that exactly match what an investigator is looking for.

The basic Boolean operators are AND, OR, NOT, and ().
  • The AND operator specifies that both query terms must match in the document.
  • The OR operator specifies that either query term can be found in a document.
  • The NOT operator negates, or removes results, that match the query terms that are negated.
  • The () operator groups query terms and values to apply functions to a set, apply multiple values to a single function, or for clarity of syntax.
Note: Boolean operators must be uppercase. You cannot use spaces in field-specific searches. For example, TcpPort: 80 is invalid.
The following table lists the Boolean operators and an example of a query string.
Table 1. Boolean operators for query strings
Boolean operator Example query string Query string explanation
AND TcpPort:80 AND Protocol:http Two query terms are used to find all standard web traffic. If web testing occurs on Port 8080, then it would not be a match since both query terms would not be true.
OR Collection:yahoo* OR Collection:cnn* OR Collection:msn* Three query terms are used to limit the results to results from the Yahoo, CNN, and MSN document collections in the forensics repository.
NOT ApplicationProtocol:http AND NOT ServerTcpPort:(80 OR 8080 OR 81) Searches for traffic with non-standard port usage. The first query term looks for standard HTTP traffic and the second query term eliminates all traffic that is using accepted HTTP ports.
( )

(ApplicationProtocol:http AND NOT ServerTcpPort:(80 OR 8080)) OR (ApplicationProtocol:pop* AND NOT ServerTcpPort:110)

NOT (Collection:yahoo* OR Collection:cnn* OR Collection:msn*)

These queries use parentheses effectively to achieve complex goals. Without parentheses, these queries are longer and more complex to formulate and debug.