In the world of digital forensics, the power to seek and find is key. The faster and more accurate the search, the faster you can zero in on your target and find the evidence you need to convict, prevent, or locate.

Regular expressions, long thought of as the arcane art of long-haired network admins squirreled away in front of Bash shell-cursor-blinking terminals, made their way into mainstream forensics with the GREP function in EnCase.

(In fact, though the term GREP in the forensic community has become synonymous with regex much in the same way as Kleenex is synonymous with tissue,“grep” is in fact a linux/unix program that is a regular expression search utility. The grep program, and various other iterations such as egrep, process the regex patterns and return a result.)

Adopted by many commercial forensic suites such as FTK, Cellebrite’s Physical Pro, and MSAB’s XRY Complete, these deceptively simple yet devilishly complex character patterns hold the key to a powerful process of searching and reporting.

Regular Expressions: What They Are and Why You Need Them
Forensic examiners, looking at a complex regular expression such as the one below:

\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b

might find themselves wondering what the heck they got into and why they bothered to come in to work that day. However, the effective use of regular expressions might be the difference in solving a case. That is because regular expressions automate and streamline tasks that would take hours if not days to do.