RegExList.ini

# Regular Expressions List 
# 
# Maintained by Josh Brunty, Associate Professor- Marshall University 
#
# To add/suggest entry email me: josh [dot] brunty [at] marshall [dot] edu
#
# A line starting with '#' starts a comment line or disables a pattern.
# A line with just a '-' creates a separator in the menu.
# Blank lines do nothing.
# Pattern lines have the following form: patternName=pattern.
#
# Do not put spaces, tabs, etc. after the pattern, unless you intend 
# to include them as part of the pattern.
#
# These expressions can be imported for use in Live Search in AccessData's Forensic Toolkit (FTK).  Save this file 
# as RegExList.ini and place into the directory C://ProgramFiles/AccessData/FTK/Version/bin

# Internet patterns
MAC Address=\<([0-9a-fA-F]{2} ){5}[0-9a-fA-F]{2}\>
URL {http, https, ftp, ftps}=\<((((ht|f)tps?)\://)?[0-9a-z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|[a-z]{2})(\:[0-9]{1,5}){0,2}(/($|[a-zA-Z0-9\.\?\+\*\$\~&%/#_,;'=-]+))*)+\>
mailto: ...=mailto\:[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)(,[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|[a-z]{2}))*(\?b?cc=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)(,[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.(biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|[a-z]{2}))*)*(\?(subject|body)=[a-zA-Z0-9\t \.\+\*\$\~&%/#_,;'-]+)*
IPv6 Internet Address=/^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/

# Domain Name patterns
... .com=[0-9a-zA-Z._%+-]+\.com\>
... .edu=[0-9a-zA-Z._%+-]+\.edu\>
... .info=[0-9a-zA-Z._%+-]+\.info\>
... .net=[0-9a-zA-Z._%+-]+\.net\>
... .org=[0-9a-zA-Z._%+-]+\.org\>
... .gov=[0-9a-zA-Z._%+-]+\.gov\>
... .museum=[0-9a-zA-Z._%+-]+\.museum\>
... .tv=[0-9a-zA-Z._%+-]+\.tv\>
... .xxx=[0-9a-zA-Z._%+-]+\.xxx\>
... .<any>=[0-9a-zA-Z._%+-]+\.([a-z]{2}|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)\>
-

# Email patterns
... @ ... .com=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.com\>
... @ ... .edu=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.edu\>
... @ ... .gov=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.gov\>
... @ ... .net=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.net\>
... @ ... .org=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.org\>
... @ ... .<any> email address=[0-9a-zA-Z._%+-]+@[0-9a-zA-Z._%+-]+\.([a-z]{2}|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel)\>
-

# Credit Card Number patterns
All Issuers =\<(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})\>
AMEX =\<3\d\d\d[\-\.  ]\d\d\d\d\d\d[\-\.  ]\d\d\d\d\d\>
Visa =\<4\d\d\d[\-\.  ](\d\d\d\d[\-\.  ]){2}\d\d\d\d\>
Mastercard 1 =\<5\d\d\d[\-\.  ](\d\d\d\d[\-\.  ]){2}\d\d\d\d\>
Discover=\<6011([\-\.  ]\d\d\d\d){3}\>
Credit Card Standard =\<(\d\d\d\d[\-\.  ]){3}\d\d\d\d\>
Web Credit Card Transaction Receipt with X or #  =([#x][#x][#x][#x][\- \.]?){3}\d\d\d\d\>

# Alternative Credit Card patterns (remove # from front of name to activate)
#American Express=\<3[47]\d{2}[\-\.  ]?\d{6}[\-\.  ]?\d{5}\>
#MasterCard/Visa=(\<5[1-5]\d{2}[\-\.  ]?(\d{4}[\-\.  ]?){2}\d{4}\>|\<4\d{3}[\-\.  ]?(\d{4}[\-\.  ]?){2}\d(?:\d{3})?\>)
-

# File Sharing patterns
Kazaa DAT file =.\x00{10}\x4b\x41\x5a\x41
Kazaa DBB =\<\x6C\x33\x33\x6C
Limewire DAT=\<\xac\xed\x00\x05sr

#other
Link File Parser (fast) - (Run on unallocated)=\x4C\x00\x00\x00\x01\x14\x02\x00{5}\xC0\x00{6}\x46.+?(([a-z]:\\)|(\\\\)).+?([a-z]:)?\\\\?.+?((\x00{5}\x00?\x00?\x00?\x00?\x00?)|\x60\x00\x00\x00\x03\x00\x00\xa0.{92})
Link File Parser with MAC/NETBIOS Info (Run on Unallocated)=\x4C\x00\x00\x00\x01\x14\x02\x00{5}\xC0\x00{6}\x46.+?[a-z]:?\\\\?.+?\x60\x00\x00\x00\x03\x00\x00\xa0.{92}
INFO2 Files FAST All Years=[\x02-\x19]\x00{3}.{7}\x01.{4}[c-z]\x00\:\x00\\
INFO2-Expanded (Run on Unallocated)=([c-z]|\x00).{263}[\x02-\x19]\x00{3}.{12}[c-z]\x00\:\x00\\.{515}
MSN Hotmail Beginning=[/<]input type[/=]hidden name[/=]msgFromName value[/=]
MSN Hotmail End=<!\-\- S\: [0-9]\-\->
HTML Search Engine Return - Google Search =href=/advanced_search\?q=
INDEX.dat entries and Search Engine Return - Google Search =/search\?hl=..&q=
HTML Search Engine Return - Ebay.com, search.aol.com, mamma.com =[/?]query[/=]
HTML Search Engine - Ask Jeeves =href="\?q=
Orphaned Index.dat Files (with date)=url.{12}\x01.{7}\x01
Orphaned Index.dat Files (without date)=url.{101}http\:\/\/
Orphaned History Index.dat Files=url.{101}visited\:
Orphaned Index.dat Cookie Files=url.{101}cookie\:
IP Address=\<[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\>
#US dollar amount=\<\$ *(([1-9]\d{0,2}(\,\d{3})*)|([1-9]\d*)|(0))(\.\d{2})?\>
-

# Phone Number patterns
US Phone Number=((\<1[\-\. ])?(\(|\<)\d\d\d[\)\.\-/ ] ?)?\<\d\d\d[\.\- ]\d\d\d\d\>
UK Phone Number=\<(\+44[\-\. ])?\(?0\)? ?[12789]\d\d?\d?[\-\. ]\d\d\d\d?[\-\. ]?\d\d\d\d?[\-\. ]?\>
-
Social Security Number=\<\d\d\d[\- ]\d\d[\- ]\d\d\d\d\>