├── LICENSE
├── README.md
└── RegExList.ini


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Josh Brunty
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Regular Expression List
 2 | Regular Expressions commonly used in Digital Forensic Tasks
 3 | 
 4 | | Title | Regex | Regex101 | Links/Source |
 5 | |---|---|---|---|
 6 | | Age (Under 18) | `^(0?[1-9]{1}\|[1]{1}[0-7]{1})(\s\|[-])?(y(\s?)o\|yr([sz]?)\|year([sz]?)((\s\|[-])?(old)?)\|y)((\s?\|[-])(old)?)$` | [Regex101](https://regex101.com/r/oL1Cgs/1) | Digital Forensics Discord Server user `jball77` |
 7 | | Bitlocker Recovery Key | `^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$` | [Regex101](https://regex101.com/r/nYykgL/2) | [BitLocker Overview](https://easyuefi.com/resource/bitlocker-recovery-key.html) | 
 8 | | Credit Card Numbers | `(^4[0-9]{12}(?:[0-9]{3})?$)\|(^(?:5[1-5][0-9]{2}\|222[1-9]\|22[3-9][0-9]\|2[3-6][0-9]{2}\|27[01][0-9]\|2720)[0-9]{12}$)\|(3[47][0-9]{13})\|(^3(?:0[0-5]\|[68][0-9])[0-9]{11}$)\|(^6(?:011\|5[0-9]{2})[0-9]{12}$)\|(^(?:2131\|1800\|35\d{3})\d{11}$)` | [Regex101](https://regex101.com/r/HeuLIg/2/) | [IHateRegex](https://ihateregex.io/expr/credit-card) |
 9 | | Cut Folder Hierarchy | `.+(?=((\\|\/).+){2})` | [Regex101](https://regex101.com/r/pS5urG/1) | [RegexLib](https://regexlib.com/REDetails.aspx?regexp_id=12777) |
10 | | Email Addresses | `(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)\|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}\|[0-9]{1,3})(\]?)(\s*;\s*\|\s*$))*` | [Regex101](https://regex101.com/r/qf1qdh/2) | [StackOverflow](https://stackoverflow.com/questions/9809357/regex-for-validating-multiple-e-mail-addresses) |
11 | | Filenames (Short/Suspicious) | `^[\w,\s-]{1,3}\.[a-zA-Z0-9]{2,4}$` | [Regex101](https://regex101.com/r/MCNzMw/2) | [RegexTester](https://www.regextester.com/104048) |
12 | | IPv4 | `\b(?:(?:25[0-5]\|2[0-4][0-9]\|1[0-9][0-9]\|[1-9]?[0-9])\.){3}(?:25[0-5]\|2[0-4][0-9]\|1[0-9][0-9]\|[1-9]?[0-9])\b` | [Regex101](https://regex101.com/r/Yj3q6l/1) | [bstrings](https://github.com/EricZimmerman/bstrings/blob/d95a1ad3972ba3857218561a0e1929762ebab65f/bstrings/Program.cs#L876) |
13 | | IPv4 (External Only) | `\b(?!0\.)(?!10\.)(?!100\.6[4-9]\.)(?!100\.[7-9]\d\.)(?!100\.1[0-1]\d\.)(?!100\.12[0-7]\.)(?!127\.)(?!169\.254\.)(?!172\.1[6-9]\.)(?!172\.2[0-9]\.)(?!172\.3[0-1]\.)(?!192\.0\.0\.)(?!192\.0\.2\.)(?!192\.88\.99\.)(?!192\.168\.)(?!198\.1[8-9]\.)(?!198\.51\.100\.)(?!203.0\.113\.)(?!22[4-9]\.)(?!23[0-9]\.)(?!24[0-9]\.)(?!25[0-5]\.)(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5]))\b` | [Regex101](https://regex101.com/r/Ct1khx/1) | [StackOverflow](https://stackoverflow.com/questions/33453057/regex-to-only-match-public-ipv4-address) |
14 | | IPv6 | `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))` | [Regex101](https://regex101.com/r/elIUjL/1) | [RegexTester](https://www.regextester.com/25) |
15 | | MAC Address | ` ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$` | [Regex101](https://regex101.com/r/TotZcR/1) | [StackOverflow](https://stackoverflow.com/questions/4260467/what-is-a-regular-expression-for-a-mac-address) |
16 | | Passwords | ` ^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$ %^&*-]).{8,}$` | [Regex101](https://regex101.com/r/XQ4S1b/1) | [IHateRegex](https://ihateregex.io/expr/password/) |
17 | | Phone Numbers | `^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$` | [Regex101](https://regex101.com/r/2OLXcu/1) | [StackOverflow](https://stackoverflow.com/a/16699507/15393449) |
18 | | URLs | `(https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*)`| [Regex101](https://regex101.com/r/GeH6XU/1) | [mathiasbynens.be](https://mathiasbynens.be/demo/url-regex) [URL Spec](https://url.spec.whatwg.org/#parsing) [IHateRegex](https://ihateregex.io/expr/url) |
19 | | US Social Security Numbers | `^(?!0{3})(?!6{3})[0-8]\d{2}-(?!0{2})\d{2}-(?!0{4})\d{4}$` | [Regex101](https://regex101.com/r/XDAlwg/1) | [IHateRegex](https://ihateregex.io/expr/ssn/) |
20 | | Username (Discord) | `^.{3,32}#[0-9]{4}$` | [Regex101](https://regex101.com/r/bXCZn7/1) | [IHateRegex](https://ihateregex.io/expr/discord-username/) |
21 | 


--------------------------------------------------------------------------------
/RegExList.ini:
--------------------------------------------------------------------------------
 1 | # Regular Expressions List 
 2 | # 
 3 | # Maintained by Josh Brunty, Associate Professor- Marshall University 
 4 | #
 5 | # To add/suggest entry email me: josh [dot] brunty [at] marshall [dot] edu
 6 | #
 7 | # A line starting with '#' starts a comment line or disables a pattern.
 8 | # A line with just a '-' creates a separator in the menu.
 9 | # Blank lines do nothing.
10 | # Pattern lines have the following form: patternName=pattern.
11 | #
12 | # Do not put spaces, tabs, etc. after the pattern, unless you intend 
13 | # to include them as part of the pattern.
14 | #
15 | # These expressions can be imported for use in Live Search in AccessData's Forensic Toolkit (FTK).  Save this file 
16 | # as RegExList.ini and place into the directory C://ProgramFiles/AccessData/FTK/Version/bin
17 | 
18 | # Internet patterns
19 | MAC Address=\<([0-9a-fA-F]{2} ){5}[0-9a-fA-F]{2}\>
20 | URL {http, https, ftp, ftps}=\<((((ht|f)tps?)\://)?[0-9a-z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|[a-z]{2})(\:[0-9]{1,5}){0,2}(/($|[a-zA-Z0-9\.\?\+\*\$\~&%/#_,;'=-]+))*)+\>
21 | mailto: ...=mailto\:[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)(,[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|[a-z]{2}))*(\?b?cc=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)(,[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|[a-z]{2}))*)*(\?(subject|body)=[a-zA-Z0-9\t \.\+\*\$\~&%/#_,;'-]+)*
22 | IPv6 Internet Address=/^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/
23 | 
24 | # Domain Name patterns
25 | ... .com=[0-9a-zA-Z._%+-]+\.com\>
26 | ... .edu=[0-9a-zA-Z._%+-]+\.edu\>
27 | ... .info=[0-9a-zA-Z._%+-]+\.info\>
28 | ... .net=[0-9a-zA-Z._%+-]+\.net\>
29 | ... .org=[0-9a-zA-Z._%+-]+\.org\>
30 | ... .gov=[0-9a-zA-Z._%+-]+\.gov\>
31 | ... .museum=[0-9a-zA-Z._%+-]+\.museum\>
32 | ... .tv=[0-9a-zA-Z._%+-]+\.tv\>
33 | ... .xxx=[0-9a-zA-Z._%+-]+\.xxx\>
34 | ... .<any>=[0-9a-zA-Z._%+-]+\.([a-z]{2}|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)\>
35 | -
36 | 
37 | # Email patterns
38 | ... @ ... .com=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.com\>
39 | ... @ ... .edu=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.edu\>
40 | ... @ ... .gov=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.gov\>
41 | ... @ ... .net=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.net\>
42 | ... @ ... .org=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.org\>
43 | ... @ ... .<any> email address=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.([a-z]{2}|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)\>
44 | -
45 | 
46 | # Credit Card Number patterns
47 | All Issuers =\<(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})\>
48 | AMEX =\<3\d\d\d[\-\.  ]\d\d\d\d\d\d[\-\.  ]\d\d\d\d\d\>
49 | Visa =\<4\d\d\d[\-\.  ](\d\d\d\d[\-\.  ]){2}\d\d\d\d\>
50 | Mastercard 1 =\<5\d\d\d[\-\.  ](\d\d\d\d[\-\.  ]){2}\d\d\d\d\>
51 | Discover=\<6011([\-\.  ]\d\d\d\d){3}\>
52 | Credit Card Standard =\<(\d\d\d\d[\-\.  ]){3}\d\d\d\d\>
53 | Web Credit Card Transaction Receipt with X or #  =([#x][#x][#x][#x][\- \.]?){3}\d\d\d\d\>
54 | 
55 | # Alternative Credit Card patterns (remove # from front of name to activate)
56 | #American Express=\<3[47]\d{2}[\-\.  ]?\d{6}[\-\.  ]?\d{5}\>
57 | #MasterCard/Visa=(\<5[1-5]\d{2}[\-\.  ]?(\d{4}[\-\.  ]?){2}\d{4}\>|\<4\d{3}[\-\.  ]?(\d{4}[\-\.  ]?){2}\d(?:\d{3})?\>)
58 | -
59 | 
60 | # File Sharing patterns
61 | Kazaa DAT file =.\x00{10}\x4b\x41\x5a\x41
62 | Kazaa DBB =\<\x6C\x33\x33\x6C
63 | Limewire DAT=\<\xac\xed\x00\x05sr
64 | 
65 | #other
66 | Link File Parser (fast) - (Run on unallocated)=\x4C\x00\x00\x00\x01\x14\x02\x00{5}\xC0\x00{6}\x46.+?(([a-z]:\\)|(\\\\)).+?([a-z]:)?\\\\?.+?((\x00{5}\x00?\x00?\x00?\x00?\x00?)|\x60\x00\x00\x00\x03\x00\x00\xa0.{92})
67 | Link File Parser with MAC/NETBIOS Info (Run on Unallocated)=\x4C\x00\x00\x00\x01\x14\x02\x00{5}\xC0\x00{6}\x46.+?[a-z]:?\\\\?.+?\x60\x00\x00\x00\x03\x00\x00\xa0.{92}
68 | INFO2 Files FAST All Years=[\x02-\x19]\x00{3}.{7}\x01.{4}[c-z]\x00\:\x00\\
69 | INFO2-Expanded (Run on Unallocated)=([c-z]|\x00).{263}[\x02-\x19]\x00{3}.{12}[c-z]\x00\:\x00\\.{515}
70 | MSN Hotmail Beginning=[/<]input type[/=]hidden name[/=]msgFromName value[/=]
71 | MSN Hotmail End=<!\-\- S\: [0-9]\-\->
72 | HTML Search Engine Return - Google Search =href=/advanced_search\?q=
73 | INDEX.dat entries and Search Engine Return - Google Search =/search\?hl=..&q=
74 | HTML Search Engine Return - Ebay.com, search.aol.com, mamma.com =[/?]query[/=]
75 | HTML Search Engine - Ask Jeeves =href="\?q=
76 | Orphaned Index.dat Files (with date)=url.{12}\x01.{7}\x01
77 | Orphaned Index.dat Files (without date)=url.{101}http\:\/\/
78 | Orphaned History Index.dat Files=url.{101}visited\:
79 | Orphaned Index.dat Cookie Files=url.{101}cookie\:
80 | IP Address=\<[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\>
81 | #US dollar amount=\<\$ *(([1-9]\d{0,2}(\,\d{3})*)|([1-9]\d*)|(0))(\.\d{2})?\>
82 | -
83 | 
84 | # Phone Number patterns
85 | US Phone Number=((\<1[\-\. ])?(\(|\<)\d\d\d[\)\.\-/ ] ?)?\<\d\d\d[\.\- ]\d\d\d\d\>
86 | UK Phone Number=\<(\+44[\-\. ])?\(?0\)? ?[12789]\d\d?\d?[\-\. ]\d\d\d\d?[\-\. ]?\d\d\d\d?[\-\. ]?\>
87 | -
88 | Social Security Number=\<\d\d\d[\- ]\d\d[\- ]\d\d\d\d\>
89 | 


--------------------------------------------------------------------------------