Regex for DFIR

Taken from AndrewRathbun - DFIRRegex.

Title	Regex	Regex101	Links/Source
Age (Under 18)	`^(0?[1-9]{1}\\|[1]{1}[0-7]{1})(\s\\|[-])?(y(\s?)o\\|yr([sz]?)\\|year([sz]?)((\s\\|[-])?(old)?)\\|y)((\s?\\|[-])(old)?)$`	Regex101	Digital Forensics Discord Server user `jball77`
BASE64	`^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}\=\\|[A-Za-z0-9+/]{3}=)?$`
Credit Card Numbers	`(^4[0-9]{12}(?:[0-9]{3})?$)\\|(^(?:5[1-5][0-9]{2}\\|222[1-9]\\|22[3-9][0-9]\\|2[3-6][0-9]{2}\\|27[01][0-9]\\|2720)[0-9]{12}$)\\|(3[47][0-9]{13})\\|(^3(?:0[0-5]\\|[68][0-9])[0-9]{11}$)\\|(^6(?:011\\|5[0-9]{2})[0-9]{12}$)\\|(^(?:2131\\|1800\\|35\d{3})\d{11}$)`	Regex101	IHateRegex
Cut Folder Hierarchy	`.+(?=((\\\|\/).+){2})`	Regex101	RegexLib
Email Addresses	`(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)\\|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}\\|[0-9]{1,3})(\]?)(\s;\s\\|\s$))`	Regex101	StackOverflow
Grab Everything Before the First Comma	`^.[^,]*(?=(\,))`	Regex101
Filenames (Including Extension)	`[^\\\/:*?"<>\\|\r\n]+$`	Regex101	Regular Expressions Cookbook
Filenames (Short/Suspicious)	`^[\w,\s-]{1,3}\.[a-zA-Z0-9]{2,4}$`	Regex101	RegexTester
Hash - MD5	`[a-fA-F0-9]{32}`
Hash - SHA1	`[a-fA-F0-9]{40}`
Hash - SHA256	`[a-fA-F0-9]{64}`
Hash - SHA512	`[a-fA-F0-9]{128}`
Hex	`/^#?([a-f0-9]{6}\\|[a-f0-9]{3})$/`
IPv4	`\b(?:(?:25[0-5]\\|2[0-4][0-9]\\|1[0-9][0-9]\\|[1-9]?[0-9])\.){3}(?:25[0-5]\\|2[0-4][0-9]\\|1[0-9][0-9]\\|[1-9]?[0-9])\b`	Regex101	bstrings
IPv4 (External Only)	\b(?!0\.)(?!10\.)(?!100\.6[4-9]\.)(?!100\.[7-9]\d\.)(?!100\.1[0-1]\d\.)(?!100\.12[0-7]\.)(?!127\.)(?!169\.254\.)(?!172\.1[6-9]\.)(?!172\.2[0-9]\.)(?!172\.3[0-1]\.)(?!192\.0\.0\.)(?!192\.0\.2\.)(?!192\.88\.99\.)(?!192\.168\.)(?!198\.1[8-9]\.)(?!198\.51\.100\.)(?!203.0\.113\.)(?!22[4-9]\.)(?!23[0-9]\.)(?!24[0-9]\.)(?!25[0-5]\.)(([0-9]\\|[1-9][0-9]\\|1[0-9]{2}\\|2[0-4][0-9]\\|25[0-5])\.([0-9]\\|[1-9][0-9]\\|1[0-9]{2}\\|2[0-4][0-9]\\|25[0-5])\.([0-9]\\|[1-9][0-9]\\|1[0-9]{2}\\|2[0-4][0-9]\\|25[0-5])\.([0-9]\\|[1-9][0-9]\\|1[0-9]{2}\\|2[0-4][0-9]\\|25[0-5]))\b	Regex101	StackOverflow
IPv6	(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\\|([0-9a-fA-F]{1,4}:){1,7}:\\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\\|:((:[0-9a-fA-F]{1,4}){1,7}\\|:)\\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\\|(2[0-4]\\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\\|(2[0-4]\\|1{0,1}[0-9]){0,1}[0-9])\\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\\|(2[0-4]\\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\\|(2[0-4]\\|1{0,1}[0-9]){0,1}[0-9]))	Regex101	RegexTester
MAC Address	`^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$`	Regex101	StackOverflow
Passwords	`^(?=.?[A-Z])(?=.?[a-z])(?=.?[0-9])(?=.?[#?!@$ %^&*-]).{8,}$`	Regex101	IHateRegex
Phone Numbers	`^(\+\d{1,2}\s)?$?\d{3}$?[\s.-]?\d{3}[\s.-]?\d{4}$`	Regex101	StackOverflow
Qakbot C2	`(http\\|https).*\:[0-9]{2,5}\/t5`		Twitter
Remove trailing backslash from every line in a document	`\\+$`	Regex101
URLs	`(https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*)`	Regex101	mathiasbynens.be URL Spec IHateRegex
Valid URLs (Excluding FP from above)	`\b((ht\\|f)tp(s)?:\/\/\\|www\.)+[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9]{2,}((\/)?([-a-zA-Z0-9@:%_\+.~#?&\/=]*)?)\b`	Regex101	`jball77`
US Social Security Numbers	`^(?!0{3})(?!6{3})[0-8]\d{2}-(?!0{2})\d{2}-(?!0{4})\d{4}$`	Regex101	IHateRegex
Username (Discord)	`^.{3,32}#[0-9]{4}$`	Regex101	IHateRegex

Regex Resources

https://www.regular-expressions.info/ - probably the best resource for regex that I’ve found yet! Made by the author of PowerGREP and EditPad Pro
https://regex101.com/ - great for testing regular expressions
https://regexr.com/ - serves as a regex IDE
https://www.mockaroo.com/ - great for generating fake data to test regex