Regex Cheatsheet for Forensics

Forensic Regex Patterns Reference

Network Addresses

IPv4

\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

IPv4 Private Ranges

\b(?:10\.(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){2}|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.)|192\.168\.(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.)\b(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

IPv4 with Port

\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):[0-9]{1,5}\b

IPv6 (Simplified)

(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}

IPv6 (Full)

(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|::(?:[0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}::(?:[0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}::(?:[0-9a-fA-F]{1,4}:)?[0-9a-fA-F]{1,4})

IPv6 Private/Local

(?:f[cd][0-9a-fA-F]{2}:|fe80:|::1)

MAC Address

(?:[0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}

CIDR Notation

\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(?:3[0-2]|[12]?[0-9])\b

Cryptocurrency Addresses

Bitcoin (P2PKH/P2SH)

\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b

Bitcoin Bech32

\bbc1[a-z0-9]{39,59}\b

Ethereum

\b0x[a-fA-F0-9]{40}\b

Monero

\b4[0-9AB][0-9a-zA-Z]{93}\b

Litecoin

\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b

Ripple

\br[a-zA-Z0-9]{24,34}\b

Dogecoin

\bD[5-9A-HJ-NP-U][a-km-zA-HJ-NP-Z1-9]{25,34}\b

Dash

\bX[a-km-zA-HJ-NP-Z1-9]{33}\b

Tether (USDT) on Ethereum

\b0x[a-fA-F0-9]{40}\b

Web & Email

URL (HTTP/HTTPS)

https?://[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}(?:/[^"\s]*)?

Domain Name

\b(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}\b

Email Address

[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}

FTP URL

ftp://[a-zA-Z0-9.-]+(?:/[^"\s]*)?

Hash Values

MD5

\b[a-fA-F0-9]{32}\b

SHA1

\b[a-fA-F0-9]{40}\b

SHA256

\b[a-fA-F0-9]{64}\b

SHA512

\b[a-fA-F0-9]{128}\b

Base64 String

[A-Za-z0-9+/]{4}*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?

File Paths & Names

Windows Path

[a-zA-Z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*

Unix/Linux Path

(?:/[^/\0]+)+/?

UNC Path

\\\\[a-zA-Z0-9.-]+\\[^\\/:*?"<>|\r\n]+(?:\\[^\\/:*?"<>|\r\n]+)*

File Extension

\.[a-zA-Z0-9]{1,5}\b

Registry Key

HKEY_[A-Z_]+(?:\\[^\\]+)*

Timestamps & Dates

ISO 8601

\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:Z|[+-]\d{2}:?\d{2})?

Unix Timestamp

\b1[0-9]{9}\b

Apache/CLF Log Date

\d{2}/[A-Za-z]{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}

Windows Event Log Date

\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

Syslog Date

[A-Za-z]{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}

Log Patterns

Apache Common Log

^(\S+) \S+ \S+ \[([^\]]+)\] "([^"]+)" (\d{3}) (\d+|-)

Apache Combined Log

^(\S+) \S+ \S+ \[([^\]]+)\] "([^"]+)" (\d{3}) (\d+|-) "([^"]*)" "([^"]*)"

Nginx Access Log

^(\S+) - (\S+) \[([^\]]+)\] "([^"]+)" (\d{3}) (\d+) "([^"]*)" "([^"]*)"

SSH Failed Login

Failed password for (?:invalid user )?(\S+) from (\S+) port (\d+)

Windows Security Event ID

EventID:\s*(\d+)

Windows Event XML

<Event[^>]*>.*?</Event>

IIS Log Entry

\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+\S+\s+\S+\s+\S+\s+\d+\s+\S+\s+\S+\s+\S+\s+\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+

Exchange Message ID

<[A-Za-z0-9$_.-]+@[A-Za-z0-9.-]+>

Identifiers & Keys

UUID/GUID

[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}

Credit Card (Basic)

\b(?:\d[ -]*?){13,19}\b

SSN (US)

\b\d{3}-\d{2}-\d{4}\b

JWT Token

eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

System & Process

PID

\bPID\s*[:=]?\s*(\d+)\b

Process Name

(?:^|\s)([a-zA-Z0-9_-]+\.exe)\b

Memory Address

0x[0-9a-fA-F]{8,16}

Port Number

\b(?:6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5]?[0-9]{1,4})\b

Database & SQL

SQL Injection Pattern

(?:'|")?(?:;|--|OR|AND|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|EXEC)(?:\s|$)

Connection String

(?:Server|Data Source|User ID|Password|Database|Initial Catalog)=[^;]+

SQL Server Connection

(?:Data Source|Server)=(?:(?:tcp:)?[a-zA-Z0-9.-]+(?:\\[a-zA-Z0-9_]+)?(?:,\d+)?);

MongoDB Connection

mongodb(?:\+srv)?://(?:[^:]+:[^@]+@)?[a-zA-Z0-9.-]+(?::\d+)?(?:/[^?]+)?

Malware Indicators

Suspicious PowerShell

(?:-e[ncodedcommand]*\s+|iex|invoke-expression|downloadstring|downloadfile)

Base64 Encoded Executable

TVqQAAMAAAAEAAAA

Suspicious User Agent

(?:bot|crawler|spider|scraper|curl|wget|python|java)

Cloud & Infrastructure

AWS ARN

arn:aws:[a-z0-9-]+:[a-z0-9-]*:[0-9]{12}:[a-zA-Z0-9-_/:.]+

S3 Bucket URL

(?:s3://|https?://s3[.-])([a-z0-9.-]+)(?:/[^"\s]*)?

Azure Resource ID

/subscriptions/[a-f0-9-]{36}/resourceGroups/[^/]+/providers/[^/]+/[^/]+/[^/\s]+

Docker Container ID

\b[0-9a-f]{64}\b|\b[0-9a-f]{12}\b

Kubernetes Pod Name

[a-z0-9](?:[-a-z0-9]*[a-z0-9])?(?:-[a-z0-9]{5,10})?

VMware UUID

[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Authentication & Keys

PEM Private Key

-----BEGIN (?:RSA |EC )?PRIVATE KEY-----

SSH Public Key

ssh-(?:rsa|ed25519|ecdsa) [A-Za-z0-9+/]+={0,2}

OAuth2 Bearer Token

Bearer [A-Za-z0-9\-._~+/]+=*

GitHub Personal Access Token

ghp_[A-Za-z0-9]{36}

AWS Access Key

AKIA[0-9A-Z]{16}

AWS Secret Key (Context)

[A-Za-z0-9/+=]{40}

Azure Storage Key

[A-Za-z0-9+/]{86}==

Google API Key

AIza[0-9A-Za-z\-_]{35}

Slack Webhook

https://hooks\.slack\.com/services/T[A-Z0-9]{8}/B[A-Z0-9]{8}/[A-Za-z0-9]{24}

Telegram Bot Token

[0-9]{8,10}:[A-Za-z0-9_-]{35}

Geographic & Tracking

GPS Coordinates

[-+]?(?:[0-8]?[0-9]|90)\.[0-9]+,\s*[-+]?(?:1[0-7][0-9]|[0-9]?[0-9])\.[0-9]+

IMEI Number

\b(?:35[0-9]{13}|01[0-9]{13}|86[0-9]{13}|99[0-9]{13})\b

VIN (Vehicle)

\b[A-HJ-NPR-Z0-9]{17}\b

IBAN

[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}

Social Media & Messaging

Twitter/X Handle

@[A-Za-z0-9_]{1,15}\b

Telegram Username

@[a-zA-Z][a-zA-Z0-9_]{4,31}

Discord ID

<@!?[0-9]{17,19}>

Bitcoin Transaction ID

\b[a-fA-F0-9]{64}\b

TLS Certificate Fingerprint (SHA256)

SHA256:[A-F0-9]{2}(?::[A-F0-9]{2}){31}

X509 Certificate Subject

(?:CN|O|OU|C|ST|L)=[^,]+(?:,\s*(?:CN|O|OU|C|ST|L)=[^,]+)*

Kerberos Principal

[a-zA-Z0-9._-]+(?:/[a-zA-Z0-9._-]+)?@[A-Z0-9.-]+

LDAP DN

(?:CN|OU|DC|O)=[^,]+(?:,(?:CN|OU|DC|O)=[^,]+)*

Mobile Forensics

Android Package Name

[a-z][a-z0-9_]*(?:\.[a-z0-9_]+)+

iOS Bundle ID

[a-zA-Z][a-zA-Z0-9-]*(?:\.[a-zA-Z0-9-]+)+

Android ADB Device

[0-9A-F]{8,16}

Mobile Country/Network Code

MCC:\s*\d{3}\s*MNC:\s*\d{2,3}

Forensic Artifacts

Windows SID

S-1-[0-59]-\d{1,10}(?:-\d{1,10})*

NTFS MFT Reference

\b\d{1,10}-\d{1,5}\b

USB Device ID

(?:VID|PID)_[0-9A-F]{4}

Windows GUID (Registry Format)

\{[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}\}

Process Command Line (Suspicious)

(?:cmd|powershell|wscript|cscript|mshta|rundll32)\.exe.*(?:http|ftp|\\\\|base64|encode)

Named Pipe

\\\\\\.\\pipe\\[a-zA-Z0-9_-]+

Memory Region

0x[0-9a-fA-F]+\s*-\s*0x[0-9a-fA-F]+

Additional Patterns

XML/HTML Tag

<([a-zA-Z][a-zA-Z0-9]*)\b[^>]*>.*?</\1>

JSON Object

\{(?:[^{}]|(?:\{[^{}]*\}))*\}

CVE ID

CVE-\d{4}-\d{4,}

MITRE ATT&CK ID

T\d{4}(?:\.\d{3})?

Tor Address

[a-z2-7]{16}\.onion\b

magnet:\?xt=urn:[a-zA-Z0-9]+:[a-fA-F0-9]+

Git Commit Hash

\b[a-f0-9]{40}\b|\b[a-f0-9]{7,8}\b

Stack Trace Line

\s+at\s+[a-zA-Z0-9.$_]+\([^)]*\)

HTTP Method

\b(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE)\b

HTTP Response Status

HTTP/[0-9.]+\s+[1-5][0-9]{2}

DNS Query

\b(?:A|AAAA|CNAME|MX|NS|PTR|SOA|SRV|TXT)\s+(?:IN\s+)?[a-zA-Z0-9.-]+

PE File Magic

MZ.{58}PE\x00\x00

ELF File Magic

\x7fELF

Mutex Pattern (Malware)

(?:Global\\|Local\\)?[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}

PowerShell Encoded Command

-[Ee](?:ncodedcommand|c)\s+[A-Za-z0-9+/=]+

YARA Rule Name

rule\s+[a-zA-Z_][a-zA-Z0-9_]*\s*(?::\s*[a-zA-Z_][a-zA-Z0-9_]*\s*)*\{

Windows Service Name

(?:SERVICE_NAME|DISPLAY_NAME):\s*([^\r\n]+)

Scheduled Task Name

TaskName:\s*\\([^\r\n]+)

MIME Type

[a-z]+/[a-z0-9.+-]+

Browser User-Agent (Suspicious Tools)

(?:sqlmap|nmap|nikto|havij|acunetix|nessus|metasploit|burp|owasp)

Python Script Shebang

#!/usr/bin/(?:env )?python[0-9.]*

Bash Script Shebang

#!/bin/(?:ba)?sh

Base64 Encoded PE Header

TVqQAAMAAAAEAAAA

Base64 Encoded MZ Header

TVo[A-Za-z0-9+/]

ZIP Archive Header

PK\x03\x04

RAR Archive Header

Rar!\x1a\x07

PDF Header

%PDF-[0-9.]+

Office Document (OOXML)

PK\x03\x04.{26}(?:word|xl|ppt)/

Usage Notes

Powered by Hugo with Console Theme.