SANS Digital Forensics and Incident Response Blog

Perl and Forensics

Perl is a wonderful tool for forensics. With Perl I can write a short script that can do a variety of repetitive tasks in a short amount of time. I find that if I combine Perl scripts to process my command-line output, I can save myself large amounts of time during an investigation. Plus Perl can be used as a filter for data in that after running the script, I can feed the data into Autopsy or a hexeditor.

In a recent case I was working on, I needed to retrieve several keywords from the unallocated space on a NTFS partition and then review the clusters they were located in with Autopsy. Perl came to the rescue. After running a "strings -td | grep -i -f {keyword file} > keywords.asc" on the blkls file, I used the cut command to trim everything after the offsets. Next, I had to divide the offsets by 4096, as that was the block size, and send the result to blkcalc to get the actual cluster my keyword was located in. With 200 clusters to look at, I did not want to do this by hand. Here is an example Perl script to do that task and save the output to a file:

use integer;

open FILE, " $filename.out" or die $!;
while () {
@fields = split (/\s+/,$_);

$result = $fields[0] / 4096;
# Be sure to change the line below to reflect your installation of Sleuthkit
$output = `/usr/local/sleuthkit-3.0.0/bin/blkcalc -s $result -f ntfs parition.dd`;
print FILEOUT "Cluster: $output \t Keyword: @fields\n";

close FILE;
close FILEOUT;

The output shows what cluster the keyword can be found in. The cluster number can be put into Autopsy's Data Unit page.

On a side note, I do find using strings and blkcalc on the command-line to be significantly faster than using Autopsy Keyword search on unallocated space.


Keven Murphy, GCFA Gold #24, is a IT security manager contracted to a fortune 100 defense contractor.


Posted December 5, 2008 at 8:33 AM | Permalink | Reply


There's also this book, and you can get a LOT of Perly goodness here, too.