grep Cheat Sheet
Escaped Values
Autopsy uses the grep utility to search an image. grep requires
that some values be "escaped" if they are searched for. Autopsy
will automatically escape those values if the serach is being done for
a non-regular expression. The escaped values include:
Regular Expressions
Refer to the man page for 'grep' for more details of creating regular
expressions. Autopsy uses the '-E' flag with 'grep' to specify
extended regular expressions. The following have special meaning
with grep:
- [A-Za-z]: Any lower and upper case letter
- [:alpha:]: same as above
- [0-9]: Any number
- [:digit:]: same as above
- [0-9A-Za-z]: Any lower and upper case letter or digit
- [:alnum:]: same as above
- [:space:]: Any white space
To specify how many times something can occur, the following are used:
- ?: Optional and can only occur once
- *: Optional and can occur more than once
- +: Required and can occur more than once
To specify more than one string to match, use the | operator.
Examples
To search for 'Jane Smith' or 'Jack Smith': (Jane)|(Jack) Smith
To ensure it matches if a tab is between the first and last name:
(Jane)|(Jack)[:space:]Smith
To search for 'Jane Smith' or 'Jane Anne Smith':
Jane( Anne)? Smith
or: Jane([:space:]Anne)?[:space:]Smith
Brian Carrier