SANS Digital Forensics and Incident Response Blog: Daily Archives: Nov 12, 2008

More command line forensics fu

Recently, I was asked to if I could recover all images from a hard disk drive that could be linked to a specific digital camera. In this case, the EXIF data contained the make, model and serial number of the camera in question. Using some simple command fu, I was able to quickly recover all of the images. I could have used GUI tools, but I believe in keeping my command line skills polished so I try to use them as much as I can.

Here's how I did it. For the sake of demonstration, I'm using the ipcase_ntfs.img from SANS Security 508: Computer Forensics, Investigation and Response, but the concepts are the same for any hard drive image.

To begin with, extract the strings from the image as follows:

strings --radix=d image_file > image_strings.txt

Using the --radix=d causes the strings command to include the byte offset in decimal where the given string