Command Line Tool For Mac

1. Mac Uninstall Xcode Command Line Tools

New command-line tools in High Sierra. 1 October 2017, 09:08. Here’s a list of the differences between the main command-line tool listings in High Sierra compared to its predecessor Sierra.

Welcome to first post in the “Know Your Tools” series! Without further ado Have you ever wondered if/how.nix command line utilities may differ across distributions?

Perhaps it never even occurred to you that there was even a possibility the tools were any different. I mean, they’re basic command line tools. How and why could/would they possibly differ? Well, I’m here to say thy basic command line utilities art not the same across different distributions.

And, the differences can range from those that can cause a simple nuisance to those that can cause oversight of critical data. Rather than going into aspects of this discussion that have already been covered such as how and, I would instead like to focus on a few core utilities commonly used in/for DFIR artifact analysis and some caveats that may cause you some headache or even prevent you from getting the full set of results you’d expect. In highlighting the problems, I will also help you identify some workarounds I’ve learned and developed over the years in addressing these issues, along with an overarching solution at the end to install GNU core utilities on your Mac (should you want to go that route). Let’s get to it. Grep Grep is one of the most useful command-line utilities for searching within files/content, particularly for the ability to use for searching/matching. To some, this may be the first time you’ve even heard that term or “regex” (shortened version of it).

Some of you may have been using it for a while. And, nearly everyone at some point feels like Amirite?

Regardless of whether this is your first time hearing about regular expressions or if you use them regularly albeit with some level of discomfort, I HIGHLY suggest you take the time to learn and/or get better at using them – they will be your most powerful and best friend for grep. Though there is a definite regex learning curve (it’s really not that bad), knowing how to use regular expressions translates directly to performing effective and efficient searches for/of artifacts during an investigation.

Nonetheless, even if you feel like a near master of regular expressions, equally critical to an expression’s success is how it is implemented within a given tool. Specifically for grep, you may or may not be aware that it uses two different methods of matching that can highly impact the usefulness (and more important, validity) of results returned – Greedy vs. Lazy Matching. Let’s explore what each of these means/does. At a very high level, greedy matching attempts to find the last (or longest) possible match, and lazy matching attempts to find the first possible match (and stops there). More specifically, greedy matching employs what is called backtracking and look-behind’s but that is a separate discussion. Suffice to say, using an incorrect, unintended, and/or unexpected matching method can completely overlook critical data or at the very least provide an inefficient or invalid set of results.

Now having established some foundational knowledge about how grep searches can work, we will drop the knowledge bomb – the exact same grep expression on Linux (using GNU grep) may produce completely different or no results on Mac (using BSD grep), especially when using these different types of matching. The first time I found this out I spent an inordinate and unnecessary amount of time banging my head against a wall typing and re-typing the same expression across systems but seeing different results. I didn’t know what I didn’t know. And, well, now I hope to let you know what I didn’t know but painfully learned. While there is an explanation of why, it doesn’t necessarily matter for this discussion. Rather, I will get straight to the point of what you need to know and consider when using this utility across systems to perform effective searches.

While GREEDY searches execute pretty much the same across systems, the main difference comes when you are attempting to perform a LAZY search with grep. We’ll start with GREEDY searches as there is essentially little to no difference between the systems. Let’s perform a greedy search (find the last/longest possible match) for any string/line ending in “is” using grep’s option (“-E”). (Linux GNU)$ echo “thisis” grep -Eo ‘.+is' thisis (Mac BSD)$ echo “thisis” grep -Eo ‘.+is' thisis Both systems yield the same output using a completely transferrable command. Note: When specifying Extended Regular Expressions, you can (and I often do) just use “egrep” which implies the “-E” option. Now, let’s look at LAZY searches.

First, how do we even specify a lazy search? Well, to put it simply, you append a “?” to your matching sequence. Using the same search as before, we’ll instead use lazy matching (find the first/shortest match) for the string “is” on both the Linux (GNU) and Mac (BSD) versions of grep and see what both yield. (Linux GNU)$ echo “thisis” grep -Eo ‘.+?is' thisis (Mac BSD)$ echo “thisis” grep -Eo ‘.+?is' this Here the fun begins. We did the exact same command on both systems and it returned different results. Well, for LAZY searches, Linux (GNU) grep does NOT recognize lazy searches unless you specify the “-P” option (short for PCRE, which stands for Perl Compatible Regular Expressions). So, we’ll supply that this time: (Linux GNU)$ echo “thisis” grep -Po ‘.+?is' this There we go.

That’s what we expected and hoped for.Note: You cannot use the implied Extended expression syntax of “egrep” here as you will get a “conflicting matchers specified” error. Extended regex and PCRE are mutually exclusive in GNU grep. Note that Mac (BSD), on the other hand, WILL do a lazy search by default with Extended grep. No changes necessary there. While not knowing this likely won’t lead to catastrophic misses of data, it can (and in my experience will very likely) lead to massive amounts of false positives due to greedy matches that you have to unnecessarily sift through. Ever performed a grep search and got a ton of very imprecise and unnecessarily large (though technically correct) results?

Mac Uninstall Xcode Command Line Tools

This implementation difference and issue could certainly have been the cause.