SANS Digital Forensics and Incident Response Blog

Perl and Forensics: Keyword searches and Toad (Quest Software)

Here are some more examples of using Perl for keyword searches from the output of the string command (strings -td {blkls file}) of an image.

I had a text file (Toad Connections.ini file) that consisted of the same thing over and over again. Since the file type was ASCII text without any headers or footers, there was not an easy way to cut it out of unallocated space. Why not let Perl do the hard work.

A simplified version of the contents:

[LOGIN 1]
SERVER=test.box.com
USER=joesomebody
PASSWORD=dfsdafj^&*)(&kadf*&^09dafj234

I did a quick search for LOGIN using grep. Grep came back with over 1000 hits, which is far too many to recover by hand. Using Perl, I can recover those lines I want. The resulting Perl script is below.

#!/usr/bin/perl

$data_file="image.dd.slack.asc";
$out_file="login_srch_slack.out";

# Opens up the file to be read in
open(IFH, "$out_file");

while() {

$instring = $_;
chomp($instring);

# Looks for the string [LOGIN
if ($instring =~ /\[LOGIN/){
print "Found: $instring\n";
print OFH "$instring\n";
}
# Look for the string SERVER=
if ($instring =~ / SERVER=/){
print "Found: $instring\n";
print OFH "$instring\n";
}
if ($instring =~ / USER=/){
print "Found: $instring\n";
print OFH "$instring\n";
}

if ($instring =~ / PASSWORD=/){
print "Found: $instring\n";
print OFH "$instring\n";

}

}

close (IFH);
close (OFH);

The output looks like:
0 [LOGIN 1]
10 SERVER=test.box.com
31 USER=joesomebody
49 PASSWORD=dfsdafj^&*)(&kadf*&^09dafj234
89 [LOGIN 3]
99 SERVER=test.box.com
120 USER=someone
134 PASSWORD=cwlsadfhkjhtoi24yb8i4y3t^%

Keyword Searching With Perl

What about if we have a huge list of keywords we are looking for? Try the script below on your string files. The script will pull out those lines that have your keywords in them.

word_search.pl (Download at: http://www.citadelsystems.net/index.php/forensics-tools/36-word-search/53-wordsearchpl)

To run simply do:
# ./word_search.pl -file image.dd.unallocated.ascii -wordfile keyword.txt -output /case/100/keywords

Each keyword will have it's own file in the /case/100/keywords directory. Those keywords that were not found simply have nothing in the file.

If we cat the file LOGIN, as it was a keyword, we find the following:
0 [LOGIN 1]
89 [LOGIN 3]

Above it will list the whole line for where it found the keyword. With the use of the strings -t d, for example, we have the offset in the file to go back to.

Additional Notes:
1)The more keywords you have the longer it takes to run.
2)I would not run this on binary data. It was written to process ASCII.

Keven Murphy, GCFA Gold #24, is a IT security manager contracted to a fortune 100 defense contractor.