| Author | Message | ||
     forestcat Username: forestcat Registered: N/A |
Hi, Wondering if someone could point me toward a way to search all sectors of a hd for anything formatted as an email address, and save the found occurances to a text file? User hard reset her pc during a crash caused by acrobat/pdf attachment while in Thunderbird. Upon reboot, lots of stuff gone. Upon inspection, many files appear overwritten with garbage. Filesystem problems, but drive passes diags. All she cares about is the Thunderbird addr book. It was the only copy of her contacts. I've found multiple copies of abook, all filled w/ garbage. However, there are still fragments of email, etc. all over the hd. Doing the above "by hand" would take forever. All I need is a disk editor that could search the entire disk for text, using DOS wildcard nomenclature(all I know...), for: *@*.* and put all the matches in a text file. I've searched for such a utility, no luck.... Any suggestions greatly appreciated. Thanks so much. | ||
| Ron Cufley Username: roncufley Registered: N/A |
I have done exactly this using regular expressions in grep under Linux. It should be possible to do the same in WinHex although I have never tried it. If you want it I could find the the regular expression for you. | ||
| forestcat Username: forestcat Registered: N/A |
Ron, That would be awesome. I'm not fluent in regular expression syntax at all. Thanks so much. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
Here is the GREP expression that we use for e-mail addresses: [a-zA-Z0-9_/-/.]{1,20}@[a-zA-Z0-9/-/.]{2,20}/.[a-zA-Z]{2,7} Important: Replace all forward slashes with backward slashes. (Forum syntax does not allow to use backward slashes.) | ||
| Ron Cufley Username: roncufley Registered: N/A |
Thanks Stefan, you beat me to it. | ||
| Ron Cufley Username: roncufley Registered: N/A |
By the way am I right in assuming that [:alnum:] etc works in WinHex? | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
No, only the GREP features listed and explained in the program help and manual, e.g. [a-zA-Z#]. | ||
| Ron Cufley Username: roncufley Registered: N/A |
I am probably being dim but I couldn't find it in the program help, could you point me in the right direction, please? | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
There are many ways ("x" ways) to find it, of course. Here are three: 1) Search | Simultaneous Search. Click Help. Click Search Options. Press Page Down once. 2) Help | Contents. Simultaneous Search. Click Search Options. Press Page Down once. 3) When in the program help already, click the Index button, then Find, then (after having Windows create the index), type in "GREP". (Most people somehow ignore that Windows allows them to create a powerful full text index for a program help system in the Find tab.) Or in the user manual, search for "GREP". | ||
| forestcat Username: forestcat Registered: N/A |
Thank you very much, Stefan & Ron. The Regex seems to retrieve any permutuation of an email address (substrings included...), but I don't see any way to copy the text results of the search to a text file, other than copying entire sectors. I can highlight(Select) all the results in the Position Manager, but I'm not seeing a way to copy that to clipboard, etc. I suspect I'm missing something obvious... | ||
| Björn Ganster Username: admin4 Registered: 3-2004 |
There is an item "Export list..." in the context menu of the position manager. If you select some or all (Ctrl-A) positions, right-click the positions to bring up the context menu. It contains an entry "Export list...". Selecting that option brings up a window that lets you define the columns to export. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
That option is not available in the Position Manager, only in the highly flexible search hit lists that you get in X-Ways Forensics when working with a case. |