Scribd
Upload
449 views

Hex File and Regex Cheat Sheet

This document provides information on file headers identified by examining the first 4-5 bytes of hexadecimal content. It lists common file types and their identifying hexadecimal start values. It also provides concise summaries of the grep, sort, awk, sed, uniq, date, and Windows findstr commands and some of their most useful flags and operations.

Uploaded by

zcynux
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
449 views

Hex File and Regex Cheat Sheet

This document provides information on file headers identified by examining the first 4-5 bytes of hexadecimal content. It lists common file types and their identifying hexadecimal start values. It also provides concise summaries of the grep, sort, awk, sed, uniq, date, and Windows findstr commands and some of their most useful flags and operations.

Uploaded by

zcynux
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Hex File Header and ASCII Equivalent

File headers are used to identify a file by


examining the first 4 or 5 bytes of its
hexadecimal content.
Filetype

ani
au
bmp
bmp
bmp
cab
dll
Excel
exe
exe
flv
gif
gif
gz
ico
jpeg
jpeg
jpeg
Linux bin
png
msi
mp3
mp3
OFT
PPT
PDF
rar
sfw
tar
tgz
Word
wmv
zip

Start

52
2E
42
42
42
4D
4D
D0
4D
4D
46
47
47
1F
00
FF
FF
FF
7F
89
D0
49
49
4F
D0
25
52
43
1F
1F
D0
30
50

49
73
4D
4D
4D
53
5A
CF
5A
5A
4C
49
49
8B
00
D8
D8
D8
45
50
CF
44
44
46
CF
50
61
57
8B
9D
CF
26
4B

46
6E
F8
62
76
43
90
11
50
90
56
46
46
08
01
FF
FF
FF
4C
4E
11
33
33
54
11
44
72
53
08
90
11
B2
03

Start ASCII
Translation
46
64
A9
25
03
46
00
E0
00
00
01
38 39 61
38 37 61
08
00
E1
E0
FE
46
47
E0
2E
03
32
E0
46
21
06/08
00
70
E0
75
04

RIFF
snd
BM
BMp%
BMv
MSCF
MZ
MZP (inno)
MZ
FLV
GIF89a
GIF87a

JFIF
JFIF
ELF
PNG
ID3
ID3
OFT2

grep/egrep
grep's strength is extracting information from
text files. grep operates on one or multiple
files when provided with a command line
argument(s) that can also include wildcards:

Cheat Sheet v1.0


SANS Forensics
http://computer-forensics.sans.org
http://blogs.sans.org/computer-forensics

Example:
grep "John" addressbook
Would return the lines that contained the
"John" string in the addressbook text file

By Guy Bruneau, [email protected]

Some useful flags:


-A
-B
-c
-f
-h
-i
-l
-P
-v

Purpose

Print number of lines after the match


Print number of lines before match
Report number of occurrences
Reads one or more patterns from a file.
Pattern are terminated by a newline
Suppress the file names on the output
Ignore case
Report matching files, not matching lines
Interpret pattern as a Perl Regex
Reverse operation: return the lines not
matching the string

The egrep (extended grep) utility can be useful


to match several possible strings at the same
time (in an OR mode):
egrep "John|Peter" addressbook
grep "John\|Peter" addressbook

%PDF
Rar!
cws

sort
sort, as its name implies, will sort the
output. There are a few interesting options you
can use:

PK

Hex File Headers and


Regex for Forensics

-d
-n
-u

Uses dictionary order. Only letters,


digits and blanks.
will sort the output assuming it is
numerical (instead of string)
will remove redundant line, 'uniquing'
the results

Forensic Analysts are on the front lines of


computer investigations. This guide aims to
support Forensic Analysts in their quest to
uncover the truth.
How To Use This Sheet
When performing an investigation it is helpful to be
reminded of the powerful options available to the
investigator. This document is aimed to be a
reference to the tools that could be used.

This sheet is split into these sections:

Hex File Headers


grep/egrep
sort
awk
sed
uniq
date
Windows findstr

The key to successful forensics is minimizing


your data loss, accurate reporting, and a
thorough investigation.

awk
awk is an extremely useful tool, especially for
parsing data structured in columns. It is
straightforward to use for simple purposes. Its
basic use is to select some particular columns
from the output: column 1 is referred to as $1,
column 2 as $2, etc.

The uniq command reads the input and compares


adjacent lines. If two or more adjacent lines
are identical, all but one is removed.

The space is the default awk separator. However


if you want to be able to parse data separated
by some other character, e.g. ":", you can use
the -F flag.

-c
-f
-i
-s
-u

Example:
echo "hello:goodbye" | awk -F:
'{print $2}'
Would return "goodbye" as an output

sed
sed is an excellent command for character
substitution. Example: if you want to
substitute the first occurrence of the 'a'
character by an 'e':
echo "hallo" | sed 's/a/e/'
The output would be: hello
You can use the g modifier to substitute all
instances:
echo "Hallo Janny" | sed 's/a/e/g'
The output would be: Hello Jenny

Windows findstr

uniq

Here is a list of the most common options used


with uniq:
Prefix line with number of occurrence
Avoid comparing the first N fields
Ignore case
Avoid comparing the first N characters
Only print unique lines

Consider this input file:


a
b
c
b
Now run uniq on it: sort testfile | uniq
a
b
c
Now run uniq -c on it:

Forensic Analysis

The Windows findstr has one interesting


Cheat Sheet
feature that differs from grep. If you need
to search for multiple strings, Forensics
you need to
separate them with a space.

MANDIANT
For example, you want or [email protected]
to look for a
match for WHITE or GREEN in a text703.683.3141
file, you
write your command like this: http://www.mandiant.org
findstr "WHITE GREEN" textfile
To make the search case insensitive, add the
/I to print all variant of WHITE or GREEN.
Windows findstr Command List
/B
/E
/L
/R
/S

1
2
1

a
b
c

/I

Date

/X
/V
/N

Check the date man page for more options.


/M
Returns the real date from epoch time:
date d @1284127201
Return an epoch time of 1288756800:
date +%s -d 2010-11-03
Return a 2 days old date:
date --date="-2 days" +"%Y-%m-%d"
Return 20:00 hours:
date -d @1288310401 +%k:%M

/O
/P

Matches pattern if at the beginning of


a line.
Matches pattern if at the end of a
line.
Uses search strings literally.
Uses search strings as regular
expressions.
Searches for matching files in the
current directory and all
subdirectories.
Specifies that the search is not to be
case-sensitive.
Prints lines that match exactly.
Prints only lines that do not contain
a match.
Prints the line number before each
line that matches.
Prints only the filename if a file
contains a match.
Prints character offset before each
matching line.
Skip files with non-printable
characters.

You might also like