A Better IP Address GREP For EnCase

Hex

I was recently teaching a colleague about the use of keywords in EnCase, and in highlighting grep usage, we came across the default Guidance IP address grep string:

0|([3-9]#?)|(1#{0,2})|(2([0-4]#?)|(5[0-5]?)|[6-9]).0|([3-9]#?)|(1#{0,2})|(2([0-4]#?)|(5[0-5]?)|[6-9]).0|([3-9]#?)|(1#{0,2})|(2([0-4]#?)|(5[0-5]?)|[6-9]).0|([3-9]#?)|(1#{0,2})|(2([0-4]#?)|(5[0-5]?)|[6-9])

The issue with a grep string like this is that you want to find IP addresses whose octets are always less than 256, but there is no “less than” operator in grep, so all one can do is attempt to construct each octet with digits (using OR), and/or accept some false positives.  (This means that you will get results that may not be IP addresses; instead you will get dotted decimal numbers that contain ‘octets’ greater than 255.)

The Guidance default grep string basically tries to construct all possible digits for the octets of an IP address.  While this is a reasonable way to do it, it has three problems.  The first is that it misses IP addresses!  It does not find “64.7.11.2”, for instance.  Secondly, it leads to a large number of false positives.  Thirdly, that expression is rather convoluted to understand, and certainly maintaining it seems difficult.

My colleague and I came up with a better (but not perfect) IP address grep string:

(0|1|2)*[0-9]?[0-9]?.(0|1|2)?[0-9]?[0-9]?.(0|1|2)*[0-9]?[0-9]?.(0|1|2)*[0-9]?[0-9]?

This IP address string is a lot less complicated that the one that ships with EnCase, thereby potentially mitigating some of the third problem with their default.  The first problem is also alleviated, in that it finds all IP addresses that we tested!  While it still suffers from the second problem, the number of false positives is significantly reduced.

Comments (0)

Comments are closed.

%d bloggers like this: