autopsy icon indicating copy to clipboard operation
autopsy copied to clipboard

Published 20 hours ago verified publisher icon sleuthkit

IP Addresses regex problem

Open N-Sotelo98 opened this issue 3 years ago • 5 comments

Hi there,

While using the keyword module searching for IP addresses, there seems to be a problem with the default regex expression since it doesn't identify the IP correctly . Here is an example:

Captura

I've tried adding different regex to retrieve IP, but it didn't work

(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}

If anybody knows a solution to this problem I would really appreciate it.

Thanks in advance for your answers.

Regards.

N-Sotelo98 avatar Aug 09 '21 15:08 N-Sotelo98

Can you try this regex instead and see what you come up with. (25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3} the only difference from yours is the slash () before the period (.). By adding the slash it does change the outcome of the query.

markmckinnon avatar Aug 17 '21 13:08 markmckinnon

Hi mark , thanks for answering

I have used your regex however it doesn't work properly with ip adrreses also it catches random numbers within the file (.evtx)

Captura

N-Sotelo98 avatar Aug 19 '21 19:08 N-Sotelo98

What do you mean by random numbers within the file? I just noticed what I copied over above did not have the . in it, did you test with the . in it? I did notice that some of the things it will pull out are actual file names that have a version number in the file that looks like an IP address.

markmckinnon avatar Aug 19 '21 19:08 markmckinnon

Hey mark,

The regex you suggested brings every number within the file. Tried using the . for the tests but it is posible I made a mistake.

(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3} WhatsApp Image 2021-08-24 at 10 54 58 AM

N-Sotelo98 avatar Aug 24 '21 15:08 N-Sotelo98

It looks like you are using keyword lists from the options panel is this correct? If so then rename the current keywords.xml in the following directory c:\Users<Username>\AppData\Roaming\autopsy\config and download my keywords.xml and save it from the following link https://drive.google.com/drive/folders/1SAdQrla5_ofuvLz6IzEwWqfqGpjKYe0E?usp=sharing, then run the Keyword ingest module select the ip_address_test keyword list. When I did that I see the following in my keyword hits.

keyword-list-ip-address

Let me know if that helps out.

markmckinnon avatar Aug 26 '21 14:08 markmckinnon

Closing issue as inactivity from user. If this is still an issue please reopen.

markmckinnon avatar Dec 01 '22 20:12 markmckinnon