Re: [sleuthkit-users] Best way to multi-keyword search with Autopsy Regex?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Best way to multi-keyword search with Autopsy Regex?
|
From: Brian C. <ca...@sl...> - 2003-06-05 14:53:00
|
On 05 Jun 2003 03:05 PDT you wrote: > I'm looking for the best way to regex search with Autopsy for two > disjoint words. > > In other words, I am looking for the appearance of two names in a given > sector, i.e. Bob and Mike You can't restrict yourself to one sector. Autopsy will first run strings on the image and then 'grep' the strings output. So, at best you can only search for the two words within the same string. > What would be the best way to do this? ... > [[Mike|mike](.*)[Bob|bob]|[Bob|bob](.*)[Mike|mike]] You don't want to use the '[' because that tells grep to use any char in between the next ']'. You could maybe use the following: ((([Mm]ike)(.*)([Bb]ob))|(([Bb]ob)(.*)([Mm]ike))) Typically (.*) will gobble up as much as possibe though, so it maynot be the best choice. In Perl, (.*?) would be used to minimize how much it uses. I don't know of the equivalent in grep. You can't use this in Autopsy, but i would use the following from the command line on the strings file: grep -E '([Mm]ike)' img.dd.str | grep -E '([Bb]ob)' you'll have to manually calculate which block the hit is in, but it will give you a quick overview of whether the words exist. I've included a 'grep cheat sheet' in the next version of Autopsy and am looking for feedback on the most important things to have documented there. Send me anything people want to see. good luck brian |
