SANS Digital Forensics and Incident Response Blog: Daily Archives: Dec 03, 2008

Perl and Forensics

Perl is a wonderful tool for forensics. With Perl I can write a short script that can do a variety of repetitive tasks in a short amount of time. I find that if I combine Perl scripts to process my command-line output, I can save myself large amounts of time during an investigation. Plus Perl can be used as a filter for data in that after running the script, I can feed the data into Autopsy or a hexeditor.

In a recent case I was working on, I needed to retrieve several keywords from the unallocated space on a NTFS partition and then review the clusters they were located in with Autopsy. Perl came to the rescue. After running a "strings -td | grep -i -f {keyword file} > keywords.asc" on the blkls file, I used the cut command to trim everything after the offsets. Next, I had to divide the offsets by 4096, as that was the block size, and send the result to blkcalc to get the actual cluster my keyword was located in. With 200 clusters to look at, I did not want to do this by

... Continue reading Perl and Forensics