Hex File Header and ASCII Equivalent grep/egrep

Hex File Headers and

File headers are used to identify a file by grep's strength is extracting information from Regex for Forensics
examining the first 4 or 5 bytes of its text files. grep operates on one or multiple
hexadecimal content. files when provided with a command line Cheat Sheet v1.0
argument(s) that can also include wildcards: SANS Forensics
Filetype Start Start ASCII
Translation Example: grep "John" addressbook http://computer-forensics.sans.org
Would return the lines that contained the http://blogs.sans.org/computer-forensics
"John" string in the addressbook text file By Guy Bruneau, gbruneau@sans.org
ani 52 49 46 46 RIFF
au 2E 73 6E 64 snd
bmp 42 4D F8 A9 BM Some useful flags:
Purpose
bmp 42 4D 62 25 BMp%
bmp 42 4D 76 03 BMv -A Print number of lines after the match Forensic Analysts are on the front lines of
-B Print number of lines before match
cab
dll
4D
4D
53
5A
43
90
46
00
MSCF
MZ -c Report number of occurrences computer investigations. This guide aims to
Excel D0 CF 11 E0 -f Reads one or more patterns from a file. support Forensic Analysts in their quest to
exe 4D 5A 50 00 MZP (inno) Pattern are terminated by a newline uncover the truth.
exe 4D 5A 90 00 MZ -h Suppress the file names on the output
flv 46 4C 56 01 FLV -i Ignore case
gif 47 49 46 38 39 61 GIF89a -l Report matching files, not matching lines How To Use This Sheet
gif 47 49 46 38 37 61 GIF87a -P Interpret pattern as a Perl Regex
gz 1F 8B 08 08 -v Reverse operation: return the lines not When performing an investigation it is helpful to be
ico 00 00 01 00 matching the string reminded of the powerful options available to the
jpeg FF D8 FF E1 investigator. This document is aimed to be a
The egrep (extended grep) utility can be useful
jpeg FF D8 FF E0 JFIF
to match several possible strings at the same reference to the tools that could be used.
jpeg FF D8 FF FE JFIF
Linux bin 7F 45 4C 46 ELF time (in an OR mode):
png 89 50 4E 47 PNG This sheet is split into these sections:
msi D0 CF 11 E0 egrep "John|Peter" addressbook
mp3 49 44 33 2E ID3 grep "John\|Peter" addressbook
mp3 49 44 33 03 ID3 Hex File Headers
OFT 4F 46 54 32 OFT2 grep/egrep
PPT D0 CF 11 E0 sort
PDF 25 50 44 46 %PDF
rar 52 61 72 21 Rar!
awk
sfw 43 57 53 06/08 cws
sort sed
tar 1F 8B 08 00 uniq
sort, as its name implies, will sort the
tgz 1F 9D 90 70
output. There are a few interesting options you date
Word D0 CF 11 E0
wmv 30 26 B2 75 can use: Windows findstr
zip 50 4B 03 04 PK
-d Uses dictionary order. Only letters,
digits and blanks.
-n will sort the output assuming it is
numerical (instead of string)
The key to successful forensics is minimizing
-u will remove redundant line, 'uniquing' your data loss, accurate reporting, and a
the results thorough investigation.
 awk uniq Windows findstr
Forensic Analysis
awk is an extremely useful tool, especially for
parsing data structured in columns. It is
The uniq command reads the input and compares
adjacent lines. If two or more adjacent lines
Cheat Sheet
The Windows findstr has one interesting
feature that differs from grep. If you need
straightforward to use for simple purposes. Its are identical, all but one is removed. to search for multiple strings, Forensics
you need to
basic use is to select some particular columns separate them with a space.
from the output: column 1 is referred to as $1, Here is a list of the most common options used MANDIANT
column 2 as $2, etc. with uniq: For example, you want or needcontact@mandiant.com
to look for a
match for WHITE or GREEN in a text703.683.3141
file, you
The space is the default awk separator. However -c Prefix line with number of occurrence write your command like this: http://www.mandiant.org
if you want to be able to parse data separated -f Avoid comparing the first N fields
by some other character, e.g. ":", you can use -i Ignore case findstr "WHITE GREEN" textfile
the -F flag. -s Avoid comparing the first N characters
-u Only print unique lines To make the search case insensitive, add the
Example: echo "hello:goodbye" | awk -F: /I to print all variant of WHITE or GREEN.
'{print $2}' Consider this input file:
a Windows findstr Command List
Would return "goodbye" as an output b
c /B Matches pattern if at the beginning of
b a line.
Now run uniq on it: sort testfile | uniq /E Matches pattern if at the end of a
sed a line.
b /L Uses search strings literally.
sed is an excellent command for character c /R Uses search strings as regular
substitution. Example: if you want to Now run uniq -c on it: expressions.
substitute the first occurrence of the 'a' /S Searches for matching files in the
character by an 'e': 1 a current directory and all
2 b subdirectories.
echo "hallo" | sed 's/a/e/' 1 c /I Specifies that the search is not to be
case-sensitive.
The output would be: hello /X Prints lines that match exactly.
You can use the g modifier to substitute all /V Prints only lines that do not contain
Date a match.
instances:
/N Prints the line number before each
Check the date man page for more options. line that matches.
echo "Hallo Janny" | sed 's/a/e/g'
/M Prints only the filename if a file
Returns the real date from epoch time: contains a match.
The output would be: Hello Jenny
date d @1284127201 /O Prints character offset before each
matching line.
Return an epoch time of 1288756800: /P Skip files with non-printable
date +%s -d 2010-11-03 characters.

Return a 2 days old date:

date --date="-2 days" +"%Y-%m-%d"

Return 20:00 hours:

date -d @1288310401 +%k:%M