During a forensic investigation, a big part of all tasks are composed by searches on files.

grep command

Below is a brief list of the tools I usually use for this type of activity..

awk

An extremely useful tool, especially for parsing data structured in columns: its basic use is to select some particular columns from the output (column 1 is referred to as $1, column 2 as $2, etc).

The space is the default awk separator, however if you want to be able to parse data separated by some other character you can use the -F flag .

Example

echo "hi:andy" | awk -F: '{print $2}'

Would return “andy” as an output

sed

Useful for character substitution .

Example

if you need to replace the first occurrence of the ‘a’ character by an ‘e’:

echo "hallo" | sed 's/a/e/'

The output will be: hello

You can use the g modifier to substitute all instances:

echo "Hay Duda" | sed 's/a/e/g'

The output would be: Hey Dude

uniq

This command reads the input and compares adjacent lines. If two or more adjacent lines are identical, all but one is removed.

Here is a list of the most common options used with uniq:

-c Prefix line with number of occurrence
-f Avoid comparing the first N fields
-i Ignore case
-s Avoid comparing the first N characters
-u Only print unique lines

For example, consider this input file:

a
b
c
d

Now run uniq on it:

sort testfile | uniq

a
b
c

Now run uniq -c on it:

sort testfile | uniq -c

1 a
2 b
3 c

Date

Check the date man page for more options .

Example

Returns the real date from epoch time:

date –d @1284127201

Return an epoch time of 1288756800:

date +%s -d “2010-11-03”

Return a 2 days old date:

date --date="-2 days" +"%Y-%m-%d"

Return 20:00 hours:

date -d @1288310401 +%k:%M

grep/egrep

The best tool for extracting information from text files . The command operates on one or multiple files when provided with a command line argument(s) that can also include wildcards.

Example

grep "Andy" addressbook

Would return the lines that contained the “Andy” string in the addressbook text file

Some useful flags:

-A Print number of lines after the match 
-B Print number of lines before match 
-c Report number of occurrences 
-f Reads one or more patterns from a file – pattern is terminated 
by a newline 
-h Suppress the file names on the output 
-i Ignore case 
-l Report matching files, not matching lines 
-P Interpret pattern as a Perl Regex 
-v Reverse operation: return the lines not matching the string

The egrep (extended grep) utility can be useful to match several possible strings at the same time (in an OR mode):

egrep "Andy|Peter" addressbook

Windows findstr

The Windows findstr has one interesting feature that differs from grep . If you need to search for multiple strings, you need to separate them with a space .

For example, you want or need to look for a match for WHITE or GREEN in a text file, you write your command like this:

findstr "WHITE GREEN" textfile

To make the search case insensitive, add the /I to print all variant of WHITE or GREEN .

Windows findstr Command List

/B Matches pattern if at the beginning of a line 
/E Matches pattern if at the end of a line 
/L Uses search strings literally 
/R Uses search strings as regular expressions 
/S Searches for matching files in the current directory and all 
subdirectories 
/I Specifies that the search is not to be case-sensitive 
/X Prints lines that match exactly 
/V Prints only lines that do not contain a match 
/N Prints the line number before each line that matches
/M Prints only the filename if a file contains a match 
/O Prints character offset before each matching line 
/P Skip files with non-printable characters

References