Java程序辅导
C C++ Java Python Processing编程在线培训 程序编写 软件开发 视频讲解
C C++ Java Python Processing编程在线培训 程序编写 软件开发 视频讲解
1 of 7
CIS 8630
Business Computer Forensics and Incident Response
Lab Protocol 05: Search & grep (EnCase7)
Purpose: Grow more adept at creating regular expressions (REGEX) for use in forensic
searching using grep-like tools.
Materials required: File “strings.txt”, Encase.
Deliverable: This completed lab protocol from individual students. Be sure your names
and team name is on the material delivered.
A regular expression is a set of characters that specify a search pattern. A regular
expression includes (1) character sets that match one or more characters in a single
position, and (2) modifiers that specify how many times the previous character set is
repeated, and (3) operators. The character sets are straightforward. Letters and numbers
match explicitly. Ranges may be specified, e.g., “A-C” or “1-3”. The wildcard “.”
matches any character, and the wildcard “#” specifies any numeral.
The anchor for the beginning of a line is ^. The anchor for the end of a line is $.
The modifiers are postfix, include “?” (zero or once), “*” (zero, once, or many times),
and “+” (once or many times).
The operators include “[ … ]” that specifies a range of characters, the “^” can specify an
exception, and the “\” specifies an escape sequence.
Operator Type Examples Matches
Literal Characters
a A y 6 % @ Letters, digits and many special
characters match exactly
\$ \^ \+ \\ \?
A \ cancels the regex reserved meaning
\n \t \r Literal new line, tab, return
Anchors
^ Starts with
$ Ends with
Character lists
[aAeEiou] Any 1 character listed
[^aAeEiou] Any 1 character except aAeEio or u
# Any 1 numeral
. Any 1 character
Counts (postfix)
+ 1 or more
* 0 or more
? 0 or 1
{ 2,3} From 2 to 3 times
Alternation | Either, or
Grouping ( ) Logical
2 of 7
Part One: Formulating Regular Expressions
1. What regular expression would you use to search for a U.S.-based telephone
number? How flexible can you make the regular expression to account for different
phone number formatting styles? Write the regular expression below and an example of a
phone number your regular expression can match.
2. What regular expression would you use to find an email address? Write the
regular expression below and an example of an email address that your regular
expression can match.
3. What regular expression would you use to find a URL? Write the regular
expression below and an example of an URL that your regular expression can match.
4. What regular expression would you use to find a credit card number? Write the
regular expression below and an example of a credit card number that your regular
expression can match. (See Appendix.)
Part Two: Testing Regular Expressions with EnCase
1. Logon to the Virtual Machine.
2. Using any text editor (e.g., Notepad), create a test data text file that includes, from
Part One above, the examples of data that would be matched by each of the
regular expressions. Save this file under “MyDocuments.”
3. Open Encase
4. Create a new case called “Regex”
5. Click on “Evidence”, located under the “Browse” section.
3 of 7
6. Click on the “Raw Search All” drop down menu, and select “New Raw Search
All…”
7. Right-click the word “Keyword”, located in the column on the left, and then left-
click “New.”
4 of 7
8. In the “New Keyword” window, check “Case Sensitive”, “GREP”, “ANSI Latin-
1” and “Unicode”
9. Choose the “Keyword tester” Tab.
5 of 7
10. Use the browser button […] to select the text file created in step 2 of this part and
press the “Load” button. The data from your test file will appear in the window.
11. Enter a Regex expression in the “Keyword” text box. The number of matches
(“Hits”) will display next to “Test data”, and the matched text will display in the
data view below it.
12. Test, and if necessary debug, each of the regular expressions from Part One.
Write the corrected/debugged Regex below:
a. Telephone Regex #1:
b. Email Regex #2:
c. URL Regex #3:
d. Credit Card Regex #4:
Part Three: Searching Data Using Tested Regex
1. Close the “Raw Search All” Window. Click on the “Home” tab.
2. Download the file at http://cis.gsu.edu/rbaskerville/cis8630/labs/strings.zip.
3. Unzip this file to yield the text file “strings.txt”.
4. Click on “Evidence”, located under the “Browse” section.
5. Drag the “strings.txt” file into the “Evidence” table pane.
6. From the Evidence view, click on the “Raw Search All” menu, and select “New
Raw Search All…”
7. Right-click the Keywords icon in the tree pane and select “New”.
8. In the “New Keyword” window, check “Case Sensitive”, “GREP”, “ANSI Latin-
1” and “Unicode”
9. For each of the regular expressions above, type it into the “Search expression”
text field and give your keyword a name in the “Name” text field. Press OK.
10. Click on “View” and select “Search”.
6 of 7
11. Click on the “Keywords” menu to see the results.
12. Click on the “Review” tab.
13. Select the keyword in the Tree pane and verify the results in the Table Pane.
14. Record the number of matches in this file for each of the keywords:
a. Telephone Regex #1:
b. Email Regex #2:
c. URL Regex #3:
d. Credit Card Regex #4:
Part Four: Searching Data with Other Regex
Use the above steps to use EnCase to search for the following patters in the strings.txt.
For each question, write the regular expression you used to successfully find a match.
Also, report which matches you found (list no more than 5 matches).
1. License plate number, 7 alphanumeric characters (including spaces) (e.g. 234
6KT).
7 of 7
2. An international phone number of the format: 07842 22 44 52 Additionally, make
your regular expression flexible enough to also match the international calling
prefixes and country code, viz: 011 + 49 07842 22 44 52
3. A street address including common street suffixes (e.g. 12343 Laniard Rd.)
4. A post office box number similar to P.O. box 2332
5. A MAC address number in the following format: 00:50:16:d0:00:03
6. An IPv6 address in the following format: fe80::216:cbff:febd:b1a4
7. A credit card confirmation number similar to 2343 223
Appendix: Credit Card Formats
Mastercard: Must have a prefix of 51 to 55, and must be 16 digits in length.
Visa: Must have a prefix of 4, and must be either 13 or 16 digits in length.
American Express: Must have a prefix of 34 or 37, and must be 15 digits in length.
Diners Club: Must have a prefix of 300 to 305, 36, or 38, and must be 14 digits in length.
Discover: Must have a prefix of 6011, and must be 16 digits in length.