Welcome back to digital forensic concepts. We're talking about keywords in grep searches. In this module, Module 2, we're going to review grep and extended grep. Grep stands for global regular expression print. It functions on Linux and Mac, GNU grep version 3.4 is the most recent. Windows does have an equivalent. It's called findstr, F-I-N-D-S-T-R. Now when we're talking about grep, the syntax is we have our options. Then we would have our search term, and then we would have the file name of the file we're searching. With the Windows equivalent findstr, the syntax would be flags, which are very similar to options. Then we would have our search term, and then we would have the path and file name of the file that we wanted to search. We're talking about grep going to go over some of the options. The grep minus w means we're searching for a whole word. The minus i would be case insensitive. The minus n would show us the line number of the hit. So it would actually print the line number that they had occurred in. The minus r is for recurrent or recursive search, and that would search a directory recursively for our search term. The minus l will list files which search term matches and that we could use when we search the directory with the minus r. The minus lowercase c will list the files with search term matches and it will list the number of hits it finds in each file. The minus b is for the number of lines before. Were going to be seeing in our example, we have a minus before and that would show us four lines before hit. The minus A stands for after the hit. If we had in our example a minus A 4 that will show us four lines after our hit. Now the minus C combines both the B and A, and it'll show us the number of lines before and after our hit. Now our operators, minus E means extended grep, and the syntax here is grep minus E. Then our regular expression, what we're searching for, and then our filename. A d would be any digit. A dot would be a single character. A question mark means the preceding character matches zero, or one times only. The asterisk means the preceding character matches zero, or more times. The plus sign means the preceding character matches one, or more times. The brackets you see here is what allows a group of characters to behave as one function. The pipe symbol is the logical OR, and the upward caret signifies matching at the beginning of a line. You'll see these will all make more sense when we look at an actual regular expression, which we will very shortly. The dollar sign signifies matching the end of a line. The slash is the escape character. Now when we're using the curly brackets, we could have a number inside there. That's what the n stands for. It means the preceding character matches exactly n times whatever that number is. If we had an n and a common m, that would mean the preceding character matches at least n times, but not more than m times. Whatever numbers we put in there, we could put in a one, and a five, and that would mean it matches at least one time, but not more than five times. Now we have our square brackets and we have characters, or symbols inside them what that means is, the character is one or more of those included within the square brackets. The character we're searching for whether is a letter or a number, a dot or a dash would be one, or more of the characters we're searching for. This included within the square brackets. Now if we use the upward caret within the square bracket, it means the character is not one of those characters included. It would exclude the a, the g, and the d, if we use the upward caret preceding them within the square brackets. If we have square brackets and we're using a hyphen between the c and the f, this dash within the square brackets operates as a range. If I have a c and an f as my range, my search results would be a c, a d, an e, or an f, so all the characters between c and f. The difference between grep, and e-grep. In grep basic regular expressions are meta-characters, a special characters, or operators lose their meaning and they're treated as normal characters in a string. In order for them to be treated as special characters, we need to use that escape character before that to signify that they are being used as a special character, or an operator. In extended grep regular expressions, are special characters like our brackets, our or sign, our plus sine, a question mark. These characters retain their meaning and they're going to be treated as special characters unless they are preceded by the escape character. In our next module we're going to take a look at using some grep expressions.
