Forensic Fonts (FF) provides a forensically sound view of input from the standard input or a file selected by the user. It does this using one of a set of forensic fonts, specifically designed to meet the criteria:
FF can be operated in either command line or GUI mode.
| Set | Resize | Toggle RealTime or Delayed resize display update. |
| Set | Font | select from the available forensic fonts. |
| Set | Size | Choose font sizes. |
| Set | Border | Toggle borders around presented symbols. |
| Set | Background | Change the background display area color. |
| Set | Shift | Move through the input byte sequence. |
| Set | Linelength | Enforce line length of display on file output. |
| Set | Table | Use a table for file output. |
| Set | Counts | Put file location (just before) each line in file output. |
| EOL | (enter or select) | Set desired end-of-line byte value (from the menu or via user entry) |
| Find | (enter sequence) | Find the next (last) instance of the regular expression (or string) |
| From | (enter integer) | Set the starting byte to display from the input sequence. |
| To | (enter integer) | Set the ending byte to display from the input sequence. |
| File | Open | Open a new file to use as the input sequence. |
| File | Help | Display this help message. |
| File | Print a PDF file from the current setup. (unlicensed only) | |
| File | Print -> All | Print an HTML and PDF file from the current setup. (licensed only) |
| File | Print -> This screen | Print only the content on the screen in HTML and PDF. (licensed only) |
| File | Print -> Here to end | Print from the start of the screen to the end of the file in HTML and PDF. (licensed only) |
| File | Print -> Start to here | Print from the beginning of the content to the end of the screen in HTML and PDF. (licensed only) |
| File | Print -> Specific range | Print a user-specified range of content in HTML and PDF. (licensed only) |
| File | Install | Install the fonts for HTML output in the ~/.FF directory. (licensed only) |
| Bye | Quit FF. |
On resize: a mouse click redisplays the content.
Window title: is set by the input file name (copyright notice for stdin)
CL mode provides a way to produce HTML output that looks much like the results of using FF in the GUI mode. This is then suitable for printing and turning into PDF files using your local browser.
The following CL options are provided: Option [default]: Description
-help : Show help - no other options may be present
-ff [ASCII]: Font Family [ASCII/SIXBIT/EBCDIC] or user defined as found in ~/.FF
-f [F]: Font type [F/S] full / small (no codes below the symbol - use "-W - -H s" or similar to adapt height)
-i [-]: Input file - default STDIN
-o [-]: Output file - default STDOUT - if specified "-FF.html" is added to the output filename
-EOL [0A]: EOL character - any HEX code - or NA for no EOL
-LL [0]: Line Length - add a newline every so many characters (HTML br)
-W [-]: Width [t/s/-/+/=/digits] - specifies the font width (t tiny / s small / - normal / + larger / = full sized / user defined)
-H [-]: Height [t/s/-/+/=/digits] - specifies the font height (t tiny / s small / - normal / + larger / = full sized / user defined)
-BG [gray]: BG color [anything HTML will accept] (try "#ff4422" or "orange" as examples)
-B [T]: Provide a border (if a table is in use)
-T [T]: Table format [T/F]
-C [T]: Count [T/F] include a count at the beginning of every line showing the byte number in the file of the last byte shown
-from [1]: From [integer] start the output at the byte specified
-to [-1]: To [integer] end the output at the byte specified (-1 = end of file)
Testing indicates that FF fails on large files due to java memory exhaustion. Heap space may be increased, but this will ultimately also be limited. In the default configuration, testing succeeded in examining and producing output from a 9,928,931 byte file, but failed with a slightly larger one. When viewing the resulting output (an HTML file of more than 7809 Mbytes) the Safari browser failed and crashed when it ran out of memory.
large files fail to generate PDF output - leaving HTML files (licensed only). Use your browser to convert to PDF (without the same provenance information embedded)
Input "From" and "To" fields are limited to the size of signed Java integers (i.e., 2^31-1), or less than 2 billion. In light of the large file memory issues identified above, this is unlikely to cause serious problems.
Regular expressions only search forward, and \u doesn't work (because FF analyses regular expressions in ISO-8859-1). Use double \xnn expressions to get unicode sequences and verify byte locations to determine 2-byte boundary is correct.
Characters
x The character x
\\ The backslash character
\0n The character with octal value 0n (0 <= n <= 7)
\0nn The character with octal value 0nn (0 <= n <= 7)
\0mnn The character with octal value 0mnn (0 <= m <= 3, 0 <= n <= 7)
\xhh The character with hexadecimal value 0xhh
\uhhhh The character with hexadecimal value 0xhhhh
\t The tab character ('\u0009')
\n The newline (line feed) character ('\u000A')
\r The carriage-return character ('\u000D')
\f The form-feed character ('\u000C')
\a The alert (bell) character ('\u0007')
\e The escape character ('\u001B')
\cx The control character corresponding to x
Character classes
[abc] a, b, or c (simple class)
[^abc] Any character except a, b, or c (negation)
[a-zA-Z] a through z or A through Z, inclusive (range)
[a-d[m-p]] a through d, or m through p: [a-dm-p] (union)
[a-z&&[def]] d, e, or f (intersection)
[a-z&&[^bc]] a through z, except for b and c: [ad-z] (subtraction)
[a-z&&[^m-p]] a through z, and not m through p: [a-lq-z](subtraction)
Predefined character classes
. Any character (may or may not match line terminators)
\d A digit: [0-9]
\D A non-digit: [^0-9]
\s A whitespace character: [ \t\n\x0B\f\r]
\S A non-whitespace character: [^\s]
\w A word character: [a-zA-Z_0-9]
\W A non-word character: [^\w]
POSIX character classes (US-ASCII only)
\p{Lower} A lower-case alphabetic character: [a-z]
\p{Upper} An upper-case alphabetic character:[A-Z]
\p{ASCII} All ASCII:[\x00-\x7F]
\p{Alpha} An alphabetic character:[\p{Lower}\p{Upper}]
\p{Digit} A decimal digit: [0-9]
\p{Alnum} An alphanumeric character:[\p{Alpha}\p{Digit}]
\p{Punct} Punctuation: One of !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
\p{Graph} A visible character: [\p{Alnum}\p{Punct}]
\p{Print} A printable character: [\p{Graph}]
\p{Blank} A space or a tab: [ \t]
\p{Cntrl} A control character: [\x00-\x1F\x7F]
\p{XDigit} A hexadecimal digit: [0-9a-fA-F]
\p{Space} A whitespace character: [ \t\n\x0B\f\r]
Classes for Unicode blocks and categories
\p{InGreek} A character in the Greek block (simple block)
\p{Lu} An uppercase letter (simple category)
\p{Sc} A currency symbol
\P{InGreek} Any character except one in the Greek block (negation)
[\p{L}&&[^\p{Lu}]] Any letter except an uppercase letter (subtraction)
Boundary matchers
^ The beginning of a line
$ The end of a line
\b A word boundary
\B A non-word boundary
\A The beginning of the input
\G The end of the previous match
\Z The end of the input but for the final terminator, if any
\z The end of the input
Greedy quantifiers
X? X, once or not at all
X* X, zero or more times
X+ X, one or more times
X{n} X, exactly n times
X{n,} X, at least n times
X{n,m} X, at least n but not more than m times
Reluctant quantifiers
X?? X, once or not at all
X*? X, zero or more times
X+? X, one or more times
X{n}? X, exactly n times
X{n,}? X, at least n times
X{n,m}? X, at least n but not more than m times
Possessive quantifiers
X?+ X, once or not at all
X*+ X, zero or more times
X++ X, one or more times
X{n}+ X, exactly n times
X{n,}+ X, at least n times
X{n,m}+ X, at least n but not more than m times
Logical operators
XY X followed by Y
X|Y Either X or Y
(X) X, as a capturing group
Back references
\n Whatever the nth capturing group matched
Quotation
\ Nothing, but quotes the following character
\Q Nothing, but quotes all characters until \E
\E Nothing, but ends quoting started by \Q
Special constructs (non-capturing)
(?:X) X, as a non-capturing group
(?idmsux-idmsux) Nothing, but turns match flags on - off
(?idmsux-idmsux:X) X, as a non-capturing group with the given flags on - off
(?=X) X, via zero-width positive lookahead
(?!X) X, via zero-width negative lookahead
(?<=X) X, via zero-width positive lookbehind
(?X) X, as an independent, non-capturing group
Flags:
i Case insensitive
d Unix lines (\n only)
m Multiline mode (default in FF)
s . matches line terminators (DOTALL)
u Unicode case aware (won't work in FF)
x Comments start with # till end of line