|
Expresssion:
Info2 Files FAST All Years=[\x02-\x19]\x00{3}.{7}\x01.{4}[c-z]\x00\:\x00\\
Description: Run on unallocated space. Will find Info2 records but will not highlight the entire hit.
User will have to expand the hit area to manually carve.
|
Expresssion:
INFO2-Expanded (Run on Unallocated)=([c-z]|\x00).{263}[\x02-\x19]\x00{3}.{12}[c-z]\x00\:\x00\\.{515}
Description:
Run on unallocated space. Will find and highlight info2 records. This runs VERY slow but gets the entire hit and makes carving easy.
|
Expresssion:
Recover Folders=\x2E\x20{10}.{21}\x2E\x2E\x20{9}
Description:
Should be run on unallocated space. Will find the ". .." for a directory entry.
|
Expresssion:
Kazaa DBB=\<\x6C\x33\x33\x6C
Description:
Will find a Kazaa .dbb entries.
|
Expresssion:
Kazaa DAT file=.\x00{10}\x4b\x41\x5a\x41
Description:
Will find the footer of a Kazaa dat file (partial download). Will also hit on Kazakhstan. Run Case Sensitive for fewer false hits.
|
Expresssion:
Lolita 1=.l.o.l.i.t.a.
Description:
Will find any string containg LOLITA separated by any character - i.e. $L-o-L+i%t!a
|
Expresssion:
Lolita 2=lolita
Description:
Will find any occurance of "lolita" even if embedded in another string. i.e. 5lolita6 or iwantlolita
|
Expresssion:
Lolita 3=l\wo\wl\w
Description:
Will find "L" "O" "L" separated by any string i.e. will hit on "mailboxlist"
|
Expresssion:
Lolita 4=lol\w
Description:
Will find "L" "O" "L" followed by any string. i.e. will hit on "Lollypop"
|
Expresssion:
Mastercard 1=\<5\d\d\d[\-\. ](\d\d\d\d[\-\. ]){2}\d\d\d\d\>
Description:
Will find 16 digit Mastercard number with each each 4 digita separated by "-""." or space
|
Expresssion:
Visa =\<4\d\d\d[\-\. ](\d\d\d\d[\-\. ]){2}\d\d\d\d\>
Description:
Will find 16 digit Visa number with each each 4 digita separated by "-""." or space
|
Expresssion:
AMEX=\<3\d\d\d[\-\. ]\d\d\d\d\d\d[\-\. ]\d\d\d\d\d\>
Description:
Will find AMEX numbers with each group separated by a "-""." or space
|
Expresssion:
Search Terms-5=[/?]query[/=]
Description:
Will find strings containing "?query=" i.e. Ebay and AOL search
|
Expresssion:
Search Terms 14=href=/advanced_search?q=
Description:
Will find a Google Search Query Return
|
Expresssion:
Passwords-1=passwd[/= ]?
Description:
Will ONLY on the string "passwd" followed by "=", space or nothing. Note: Many passwords will be encrypted values.
|
Expresssion:
Passwords-1a=p(ass)?w[o]?[r]?[d]?[/= ]?
Description:
Will find password, passwd, passwrd, pw, psw, pwd, pass followed by "=", space or nothing.
Note: Many passwords will be encrypted values. Will not find pswd, psw or pass.
|
Expresssion:
Passwords-2=p((ass)|(swd)|(wd)|(asswd)|(assword)|(asswrd)|(swrd)|(aswd))[/= ]?
Description:
Will find password, passwd, pswd, passwrd, pwd, pass followed by "=", space or nothing.. Will not get PW or PSW.
|
Expresssion:
Passwords-3=p[as][sw][swrd][wd]?[ord]?r?d?[/= ]?
Description:
Will find password, passwd, pswd, passwrd, pass followed by "=", space or nothing. Will not get PW or PSW or PWD.
|
Expresssion:
MSN Hotmail Begining=[/<]input type[/=]hidden name[/=]msgFromName value[/=]
Description:
Will hit on the beginning of an MSN Hotmail web message. Run on unallocated space to find partial mail.
|
Expresssion:
MSN Hotmail End=<!\-\- S\: [0-9]\-\->
Description:
Will hit on the end of an MSN Hotmail message. Run on unallocated space to find partial mail.
|
Expresssion:
Lnk File Parser with MAC/NETBIOS Info (Run on Unallocated)
=\x4C\x00\x00\x00\x01\x14\x02\x00{5}\xC0\x00{6}\x46.+?[a-z]:?\\\\?.+?\x60\x00\x00\x00\x03\x00\x00\xa0.{92}
Description:
Meant to be run on unallocated space. Runs slower than the fast one but highlights entire link file hit. 99% effective.
|
Expresssion:
Link File Parser (fast) - (Run on unallocated)
=\x4C\x00\x00\x00\x01\x14\x02\x00{5}\xC0\x00{6}\x46.+?(([a-z]:\\)|(\\\\)).+?([a-z]:)?\\\\?.+?((\x00{5}\x00?\x00?\x00?\x00?\x00?)|\x60\x00\x00\x00\x03\x00\x00\xa0.{92})
Description:
Meant to be run on unallocated space. Runs Very fast but DOES NOT get the whole hit. User will have to expand hit area to manually carve.
|
Expresssion:
Web Credit Card Transaction Receipt (X or #)=([#x][#x][#x][#x][\- \.]?){3}\d\d\d\d\>
Description:
Will find Credit Card Tranaction Returns from the web with X or #. i.e. XXXXXXXXXXXX9191 or ####-####-####-9191
|
Expresssion:
Reparse Point Finder=\\\x00\?\x00\?\x00\\\x00[a-z]\x00\:\x00\\\x00
Description:
Will find & reparse points. |
