Regex Keyword List Not Working

A place to ask the community for help with using Autopsy.

Moderator: carrier

Regex Keyword List Not Working

Postby randyklein » Wed Feb 14, 2018 2:33 pm

I've created a keyword list with a regex keyword. All of the other "exact Match" keywords work perfectly fine, but the regex keyword is not running. When the search completes, I don't see it in the tree list. If I enable the built-in email regex keyword list, that works perfectly fine.

My regex keyword is "5[HJK][1-9A-Za-z][^OIl]{49}" I know there is content in a text file in the image that matches this regex.

What am I doing wrong here? Thanks!
randyklein
 
Posts: 1
Joined: Wed Feb 14, 2018 2:28 pm

Re: Regex Keyword List Not Working

Postby Hoyt » Thu Mar 01, 2018 4:33 pm

It's your curly braces. Those are part of the Extended Regular Expression (ERE) syntax. Autopsy only supports basic (BRE) as far as I'm aware. In this case, search is specifically looking for "{49}" at the end of your pattern. You can try escaping them, i.e. "\{49\}" or write it without using those.

Here's an old Autopsy regex guide.

Hoyt
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 1 guest

cron