/usr/share/autopsy/help/grep.html is in autopsy 2.24-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | <HTML>
<HEAD><TITLE>Autopsy grep Cheat Sheet</TITLE></HEAD>
<BODY BGCOLOR=#CCCC99>
<CENTER><H2>grep Cheat Sheet</H2></CENTER>
<H3>Escaped Values</H3>
Autopsy uses the <TT>grep</TT> utility to search an image. grep requires
that some values be "escaped" if they are searched for. Autopsy
will automatically escape those values if the serach is being done for
a <U>non-regular expression</U>. The escaped values include:
<UL>
<LI>\
<LI>.
<LI>[
<LI>^
<LI>$
<LI>'
<LI>*
<LI>initial -
</UL>
<H3>Regular Expressions</H3>
Refer to the man page for 'grep' for more details of creating regular
expressions. Autopsy uses the '-E' flag with 'grep' to specify
extended regular expressions. The following have special meaning
with grep:
<UL>
<LI><B>[A-Za-z]</B>: Any lower and upper case letter
<LI><B>[:alpha:]</B>: same as above
<LI><B>[0-9]</B>: Any number
<LI><B>[:digit:]</B>: same as above
<LI><B>[0-9A-Za-z]</B>: Any lower and upper case letter or digit
<LI><B>[:alnum:]</B>: same as above
<LI><B>[:space:]</B>: Any white space
</UL>
<P>
To specify how many times something can occur, the following are used:
<UL>
<LI><B>?</B>: Optional and can only occur once
<LI><B>*</B>: Optional and can occur more than once
<LI><B>+</B>: Required and can occur more than once
</UL>
<P>
To specify more than one string to match, use the <B>|</B> operator.
<H3>Examples</H3>
<P>
To search for 'Jane Smith' or 'Jack Smith': (Jane)|(Jack) Smith
<P>
To ensure it matches if a tab is between the first and last name:
(Jane)|(Jack)[:space:]Smith
<P>
To search for 'Jane Smith' or 'Jane Anne Smith':
Jane( Anne)? Smith
<P>
or: Jane([:space:]Anne)?[:space:]Smith
<HR>
<FONT SIZE=0>Brian Carrier</FONT>
</BODY></HTML>
|