Sunday, December 13, 2009

Free Windows GREP tools – I’m Excited!

Back in August ‘09, Keydet89 posed the following question in his Windows Incident Response blog post “Goin’ commando”…

Anyway, I think that is would be a great place to start throwing up information, discussion and links to free and open-source tools that folks are using for analyzing various files or formats. This can include general stuff (such as, does anyone have a good, free grep utility for Windows that doesn't use cygwin?)

Harlan then followed that post with a roundup of new free tools and utilities.  He had also previously shared a  number of freely offered blog posts on, well, free utilities that might benefit both the Windows forensic examiner (and sysadmins as well).

Anyway…I think his was a rhetorical question regarding the Windows grep utility, but I responded in the comments about my own personal freeware grep favorite…

  • BareGrep - Free grep for Windows – Bare Metal Software.  Great tool for advanced and complex system and file searching for only 246 kB in size but very fast and very advanced for the most demanding system-inspecting needs.  Simply amazing.  Oh yes. It’s a single non-installing exe file and fully portable. Works great on XP through Windows 7 systems.  I’ve used it with great success to narrow my analysis on a few incident response assignments.  It really saved the day.

Since then I have found and collected a few more freeware grep tools. Most are GUI-based but a few are command-line.  Take your pick.

  • File Hound 3.08 - (freeware) – JimmyTheFork.com.  An updated version of his “Hound” grep tool.  I spotted it mentioned over in this DonationCoder thread Hound: a grep-alike that searches inside PDFs.  For a sample of the GUI see this Hound screenshot link.  Fully portable, download, unzip and run the exe.  I particularly like the fact that it is more intuitive to use and identify the result locations than the uber-powerful BareGrep utility.
  • Windows Grep - (freeware) – brilliant app which ran great “portably” on my Windows 7 system.  The GUI interface is very pleasant and modern (in a no-frills way).  What stood out the strongest to me was the interactive “wizard” that runs first. It nicely guides n00bies through the basic steps of setting up a search pattern, a location, and other parameters before kicking off the search.  Don’t be fooled. It’s got some advanced searching power for the experts to tap as well. The results are wonderfully displayed in an index format and the preview pane below highlights all the findings for very fast analysis.  Good job Huw Millington! Most excellent tool.
  • PRGrep - (freeware) – Another surprisingly well crafted GUI-based grep tool for Windows. Again, it seems to be portable.  Not quite as user-friendly for the uninitiated, anyone who does grep work will pick its functions up quickly.  Searching was fast and like Windows Grep, the display hits are nicely detailed and highlighted in the lower pane.  It can plug into MS Office for Word/Excel file reading.  I particularly liked the “old-school” format which makes copy/paste activity a breeze. PRGrep documentation is outstanding.
  • GREP for Windows - A very flexible grep for windows – (freeware) - opbarns.com O. Patrick Barns did an 2006 update to Tim Charron’s "GREP for Windows" port. He cleaned up some bugs in that version as seem to relate to subdirectory searching with the "-S” argument.  Yep.  CLI only with this one, baby.
  • Grep for Windows and GREP for Windows both of which seem to be the original CLI ports by Tim Charron of the GNU grep 2.0 allowing for sub-directory searching.  Examples of syntax provided on the pages.
  • GREP Command for Windows XP - Windows XP and DOS – Malektips.com – Tips to use of QGREP command.  Note: it does require extraction from Windows 2003 Resource Kit.  Syntax and expression usage documented there wonderfully as well.  More info on the Win2003RK here.  I’m guessing that if it works on XP, it should do OK on Vista and Windows 7 as well.

Curious News on Future Windows Resource Kits

Note that according to information and references in this Resource Kit – Wikipedia article…

In 2007 and 2008 respectively, Microsoft released the Windows Vista and Windows Server 2008 Resource Kits. Microsoft has also released resource kits for Group Policy, Windows security, Active Directory, Terminal Services and IIS 7. The Windows Vista Resource Kit ships with several sample VBScripts and few PowerShell scripts.

The Windows 7 Resource Kit was released on 14 September 2009 [3]. Microsoft has announced that new unsupported resource kit tools will not be provided for current and future operating systems [4], however the PowerShell team has released a Resource Kit PowerShell Pack [5], a collection of PowerShell modules that adds over 700 scripts to those already present in Windows 7.

References

[3]  Windows 7 Resource Kit: Microsoft Press blog

[4]  Are Resource Kits Dead? NOPE!

[5]  Introducing the Windows 7 Resource Kit PowerShell Pack

To be clear; the Resource Kits are alive and well, but it looks like the traditional “unsupported” tools and utilities that came with them, beloved by sysadmins world-wide, are now an endangered species.

See how it works?

Ask a question, get a slew of cool free utilities for the sysadmin and forensic pros alike!

Cheers!

--Claus V.

6 comments:

cdman83 said...

I usually install either Cygwin or GnuWin32 on Windows machines I use. There is of course also the Windows version of grep (which is much more limited): find

type file.txt | find "foo"

(the quotes seem to be important)

paolo said...

hello claus, have you ever heard of AstroGrep? Give it a try.

cheers

--
pbzion

Andrew from Vancouver said...

Hey, Claus.

I prefer to use a handful of the GnuWin32 command line tools from:

http://gnuwin32.sourceforge.net/

Not just grep. AWK, sed, tail and all their friends are there.

In a pinch, you can get text matching in Windows with find.exe and you can extend that by using findstr.exe to get some regexp.

And appropos of thing, 7-zip was just updated to beta 9.09 ... I know how you love updates.

https://sourceforge.net/projects/sevenzip/forums/forum/45797/topic/3487471

Claus said...

@ Paolo - No I haven't!

AstroGrep - "AstroGrep is a Microsoft Windows grep utility. Grep is a UNIX command-line program which searches within files for keywords. AstroGrep supports regular expressions, versatile printing options, stores most recently used paths and has a "context" feature which is very nice for looking at source code. "

Looks light and interesting. I'm downloading it and will check it out soon more closely.

Thanks for the tip! That's why I enjoy making these posts...some folks find them helpful and some posts jog folk's mind and they share some tools/utilities/tips that are off the beaten path.

Hopefully we all come out ahead..

Cheers!

--Claus V.

Claus said...

@ Andrew - Awesome!

Besides the tight compression 7-zip offers, I just get warm-fuzzies seeing such a valuable app getting updated and maintained frequently. Some might say that is a weakness, but I think it is a sign of an active development author/team -- 7-Zip application. I'm downloading this newest version right now!

Thank you also for the additional CLI of GnuWin32. I actually had considered adding this one in to the list but wanted to emphasize some of the GUI-based ones a bit more to make this class of tool/utility more approachable for the dabblers. I like the package approach.

I'm no CLI-black-belt but it is dead-useful.

Just today one of our analyst leads was working along side me on a special project to set up some lab pcs. I had gotten the images pretty well dialed in, and we use DiskPart and ImageX CLI to do the heavy installing. (Now if I can get our techs to learn just enough CLI to keep from formating the USB drives that are bootable and contain the images...sigh.)

Then I follow with a tight setup process we follow.

However, after the 10th system I was just getting a bit frustrated with some of the repetitive "open browser window, select copy x to y, run this cmd, etc...."

So I paused for a moment, looked at the process elements, and in about 30 min worked out a simple DOS batch file to do all the heavy-lifting for me.

What was taking us up to twenty minutes to physically navigate and perform now took under three.

The remaining systems didn't stand a chance...and the analyst just sat back and grinned.

Ahh. Behold the power of CLI...!

;)

Thanks for keeping me focused on the roots (CLI), sensi!

--Claus V>

Anonymous said...

May wanna check out www.ultragrep.com