I performed a fresh install of macOS Mojave 10.14. Immediately after that I installed Xcode Version 10.0 (10A255) from the Mac App Store. Now, I wish to install Homebrew which requires Xcode Command Line Tools to be installed. My understanding is that installing Xcode also installs the Command Line Tools. As per, I checked if the Command Line Tools are installed by running: xcode-select -p which printed the path for the Developer directory as follows: /Applications/Xcode.app/Contents/Developer As suggested in the answer, I also verified the return value by running: echo $?
Which retuned 0. I also ran, gcc and make and bash was able to locate and execute them. Thus far I am convinced that the Xcode Command Line Tools are installed. Now when I execute: xcode-select -install I get this alert: What's the probable reason for this disparity? Will this install Xcode Command Line Tools twice? Or overwrite the existing installation?
As I understand, Xcode Command Line Tools can be installed without installing Xcode. Also, from my previous experience, if the Command Line Tools aren't installed separately from Xcode (by running xcode-select -install), they are not detected by Homebrew, i.e.
When running brew config, the value for CLT: is shown as N/A. Here's the complete picture (pardon the pun): Although I am talking in context of macOS Mojave, the question remains the same with regard to previous versions of macOS. What is the advisable approach to take here?
Ccleaner business edition v4.16.4763 v1.0.7 for mac. Note: After installing Xcode, I launched it, accepted license agreement and let it finish its run of installing additional tools (which is a one time activity).
Welcome to first post in the “Know Your Tools” series! Without further ado Have you ever wondered if/how.nix command line utilities may differ across distributions?
Perhaps it never even occurred to you that there was even a possibility the tools were any different. I mean, they’re basic command line tools. How and why could/would they possibly differ? Well, I’m here to say thy basic command line utilities art not the same across different distributions. And, the differences can range from those that can cause a simple nuisance to those that can cause oversight of critical data.
Rather than going into aspects of this discussion that have already been covered such as how and, I would instead like to focus on a few core utilities commonly used in/for DFIR artifact analysis and some caveats that may cause you some headache or even prevent you from getting the full set of results you’d expect. In highlighting the problems, I will also help you identify some workarounds I’ve learned and developed over the years in addressing these issues, along with an overarching solution at the end to install GNU core utilities on your Mac (should you want to go that route). Let’s get to it.
Grep Grep is one of the most useful command-line utilities for searching within files/content, particularly for the ability to use for searching/matching. To some, this may be the first time you’ve even heard that term or “regex” (shortened version of it).
Some of you may have been using it for a while. And, nearly everyone at some point feels like Amirite?
Regardless of whether this is your first time hearing about regular expressions or if you use them regularly albeit with some level of discomfort, I HIGHLY suggest you take the time to learn and/or get better at using them – they will be your most powerful and best friend for grep. Though there is a definite regex learning curve (it’s really not that bad), knowing how to use regular expressions translates directly to performing effective and efficient searches for/of artifacts during an investigation.
Nonetheless, even if you feel like a near master of regular expressions, equally critical to an expression’s success is how it is implemented within a given tool. Specifically for grep, you may or may not be aware that it uses two different methods of matching that can highly impact the usefulness (and more important, validity) of results returned – Greedy vs. Lazy Matching. Let’s explore what each of these means/does.
At a very high level, greedy matching attempts to find the last (or longest) possible match, and lazy matching attempts to find the first possible match (and stops there). More specifically, greedy matching employs what is called backtracking and look-behind’s but that is a separate discussion. Suffice to say, using an incorrect, unintended, and/or unexpected matching method can completely overlook critical data or at the very least provide an inefficient or invalid set of results. Now having established some foundational knowledge about how grep searches can work, we will drop the knowledge bomb – the exact same grep expression on Linux (using GNU grep) may produce completely different or no results on Mac (using BSD grep), especially when using these different types of matching. The first time I found this out I spent an inordinate and unnecessary amount of time banging my head against a wall typing and re-typing the same expression across systems but seeing different results.
I didn’t know what I didn’t know. And, well, now I hope to let you know what I didn’t know but painfully learned.
While there is an explanation of why, it doesn’t necessarily matter for this discussion. Rather, I will get straight to the point of what you need to know and consider when using this utility across systems to perform effective searches. While GREEDY searches execute pretty much the same across systems, the main difference comes when you are attempting to perform a LAZY search with grep. We’ll start with GREEDY searches as there is essentially little to no difference between the systems. Let’s perform a greedy search (find the last/longest possible match) for any string/line ending in “is” using grep’s option (“-E”). (Linux GNU)$ echo “thisis” grep -Eo ‘.+is' thisis (Mac BSD)$ echo “thisis” grep -Eo ‘.+is' thisis Both systems yield the same output using a completely transferrable command.
Note: When specifying Extended Regular Expressions, you can (and I often do) just use “egrep” which implies the “-E” option. Now, let’s look at LAZY searches.
First, how do we even specify a lazy search? Well, to put it simply, you append a “?” to your matching sequence. Using the same search as before, we’ll instead use lazy matching (find the first/shortest match) for the string “is” on both the Linux (GNU) and Mac (BSD) versions of grep and see what both yield. (Linux GNU)$ echo “thisis” grep -Eo ‘.+?is' thisis (Mac BSD)$ echo “thisis” grep -Eo ‘.+?is' this Here the fun begins. We did the exact same command on both systems and it returned different results.
Well, for LAZY searches, Linux (GNU) grep does NOT recognize lazy searches unless you specify the “-P” option (short for PCRE, which stands for Perl Compatible Regular Expressions). So, we’ll supply that this time: (Linux GNU)$ echo “thisis” grep -Po ‘.+?is' this There we go. That’s what we expected and hoped for.Note: You cannot use the implied Extended expression syntax of “egrep” here as you will get a “conflicting matchers specified” error. Extended regex and PCRE are mutually exclusive in GNU grep. Note that Mac (BSD), on the other hand, WILL do a lazy search by default with Extended grep.
No changes necessary there. While not knowing this likely won’t lead to catastrophic misses of data, it can (and in my experience will very likely) lead to massive amounts of false positives due to greedy matches that you have to unnecessarily sift through. Ever performed a grep search and got a ton of very imprecise and unnecessarily large (though technically correct) results?
This implementation difference and issue could certainly have been the cause.