Grep Expressions Used In Forensic Investigation

DigitalSherlock.com | SafeHack.com
Date: 2005/05/27
Document Name: Grep_Expressions.pdf (LIVE DOCUMENT)
GNU Free Documentation License
Version 1.00, 2005-05-27
Copyright 2005 Adonis, MSc, Eng, CISSP, Security+, CEH, GSec, MCSE, etc.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation
License, Version 1.2 or any later version published by the Free Software Foundation.

Find Names.
firstname[ ,\x09]*lastname

Find firstname followed by any number of spaces, commas or tabs followed by lastname.

Caracteres Matching
[^ab]

Matches any characters except a and b.

firstname.lastname

The period matches any character.

firstname[ , ;]lastname

Finds firstname followed by a space or a comma or a semicolon followed by lastname.

firstname[0-9a-z]lastname

Finds firstname followed by any character between 0 and 9 and a and z followed by
lastname.

firstname[^#]lastname

Finds firstname followed by any character other than 0 to 9 followed by lastname.

firstname +lastname

Finds firstname followed by any number of spaces followed by lastname.

firstname-*lastname

Finds firstname followed by any number of dashes followed by lastname.

firstname lastname\x0D\x0A

Finds firstname followed by a space followed by a CR LF sequence.

firstname[^a-z]

Matches firstname followed by any non-alphabetic character.

keyword1.{80,80}keyword2

Find keyword1 followed by any character (up to 80 characters long), followed by keyword2.
murder.{80,80}knife

car+d

This will find CARRRRRD and CARD

[\w060c-\w06FF][\w0600-\w0603\w060c-\w06FF\x20\x2e]{10,254}

To see if the disk contain arabic text

\x2E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.....................\x2E\x2E

search for subdirectories

[EFG]\:

Find drives letters

(YMSG).{19,19}[a-zA-Z]

Find Yahoo messages

 EMF Files
Comment: After doing a search using this expression (I recommend selecting only the print spool folder), you can go to
the Search Hits tab and the very last column to the right has the word "Picture" as the column header.
Right-click inside the "Picture" column cell that corresponds to one of your search hits and select the "Picture" option (or
you can use the CTL-P option) and then the EMF files will be visible to you in the gallery view and bottom pane as well.

\x01\x00\x00\x00..\x00.{34,34}EMF

Find EMF files

\x01\x00\x00\x00\x58\x00\x00\x00

Find EMF files

\x01.{40,40}EMF

Find EMF files

\x01\x00\x00\x00\x18\x17\x00 or \x01\x00\x00\x00\xC4\x36\x00

Find EMF on Windows NT/2000

\x01\x00\x00\x00\x5C\x01\x00

Find EMF on Windows XP

\x01\x00\x00\x00\x58\x00\x00\x00 or\x01.{40,40}EMF

Find EMF on Windows 98

Internet Related
http://www\.[a-z]+\ .com

Matches http://www. followed by any alphabetic characters followed by .com.

Find IP Addresses

##?#?\.##?#?\.##?#?\.##?#?[^#\.]
[^\.\x00]1##\.##?#?\.##?#?\.##?#?[^#\.]
[^#\.\x00][1-9]#?\.[12]#?#?\.[12]#?#?\.[12]#?#?[^#\.]

Find Emails

From ?:.{20,200}To ?:
Find From Field
(mark)|(goober@earthlink\.net).{5,200}(lori)|(girl@hotmail\.com)|(fred)|(baldguy@encase
\.com)
Comment: suppose my names were mark, lori and fred and you wanted to find email between either their
names or their email addresses. mark's email is goober@earthlink.net, lori's is girl@hotmail.com and fred's is
baldguy@encase.com. here is the expression i would use if the emails were coming from mark to the others

Numbers
###-#### or ###-?####

Matches a telephone number of the form 123-4567 or 1234567

###[\- ]?##[\- ]?#### to [^0-9]###[\- ]?##[\- ]?####[^0-9]

search for any number in this format (111-25-2345)

[^0-9]#########[^0-9] or [^0-9]###[\- ]##[\- ]####[^0-9]

search for any number in this format (111-25-2345)

Credit Card

####-####-####-####
Finds any credit card number separated by dashes.
[456]###-?####-?####-?####[^#]
The dashes being optional. The first number can only be a 4, 5, or 6.
(?###[) \-]*###[ \-]?####[^#]
The (? indicates the open ( can be present or not.

The [) \-]* means either a space or a ) or a dash

Can be repeated any number of times, including zero times.

(818) 987-2345
569-874-3468
208 495 9583
9424295849

[^\*\#].[x\*\#][x\*\#][x\*\#][ \-]?[x\*\#][ \-]?[x\*\#][x\*\#][x\*\#][ \-]?[x\*\#][x\*\#][x\*\#][ \-]?[x\*\#][ \-]?

####
This expression will find these hits in the following formats when the last four numbers
are proceeded by the following characters x X * or #.

Phone

##?[/\-]##?[/\-]###?#?
Matches a date in regular form with a 4 digit year
Either 1 or 2 digit months and days
Separated by either forward slashes or dashes.

03/12/1999
2-15-2000
2-4-97