SANS Digital Forensics and Incident Response Blog

Forensics and Perl-Fu

By Michael Worman

Ah Perl. Mysterious and maddening, it lies at the heart of the Internet as well as a million Ways to Do It. I discovered Perl in the mid 90s, before PHP and a lot of the other newfangled dynamic languages for web content. Javascript was a toy back then, and Java barely ran on anything. Graphics and pictures on web browsers were a new thing.

Perl is magical; for any forensic analyst, incident responder, or network ninja, the magic is in its raw ability to rapidly develop systems for processing text in an agile and intuitive manner. Some say that, unlike C++ and Java, learning and using basic Perl is as easy as learning a few words of conversational Spanish or French. This is no accident, as Perl's inventor Larry Wall is a linguist as well as the creator of one of the world's most prolific software development platforms. Perl is made to flow from conception to implementation with the minimal amount of overhead. It also happens to have one of the best regular expression interfaces ever invented.

Perl and forensics are an unmistakable perfect fit. Combining a powerful data parser with the ability to rapidly create glue logic between input and output streams, learning and mastering Perl can allow you to pull off some neat tricks.

  • Using Perl, I was once able to turn a 1.5 Terabyte-per-day data stream into quickly searchable 20MB compressed files, also reducing data storage requirements by 1000% and search times by 10,000%.
  • I once used Perl to create a recursive SNMP-based Perl program that could search an infrastructure of hundreds of network elements (switches/routers) for specific MAC addresses and cached IP information.
  • By continuing to use Perl, one can begin to master (and implement in code) regular expressions, the most fundamental computer function upon which all keyword searching techniques are based.

Indeed, just as Netcat is known as "the Swiss Army Knife of TCP/IP", Perl is regarded as "the Swiss Army chainsaw of scripting languages".

You don't have to be a programmer to learn Perl, but it helps. Perl is without a doubt one of the most approachable of all programming and scripting languages, because of the simplicity with which it meets the immediate needs of the novice developer who just wants "Something Done". The basics of Perl required to open, analyze, and close files can be taught in a day, as can the basics of writing regular expressions.

Why do we need to understand things like Perl, regexps, and command-line text processing? Because even in today's environment of integrated software suites and flashy marketing, it is really things like Perl and expression matching and command line basics that fuel most real digital forensics laboratories. At the heart of systems like Encase, FTK, and others are the regular expressions that Perl helped introduce to the Internet. Digging into Perl can be intimidating and so my upcoming articles will be primarily introductory pieces on the (very) basics of Perl and how to "munge" data in ways of interest to forensics or IR professional.

Perl can be found on almost any UNIX or Linux platform. Learning Perl from the O'Reilly series is a great starter, Programming Perl is considered the canonical "bible" of the language. For Windows users who don't know where to start, I strongly recommend the free developer kit available from ActiveState.

Mike Worman, GCFA Gold #124, GCIA Gold #282, is an incident response, forensics, and information security subject matter expert for an international telecommunications carrier. He holds a BS in Computer Systems Engineering from the University of Massachusetts, an MS in Information Assurance from Norwich University, and is CISSP-certified.

3 Comments

Posted April 21, 2009 at 11:13 AM | Permalink | Reply

kpryor

I'm looking very forward to your upcoming Perl posts. Perl is another one of the many things on my list of things I want to learn.
KP

Posted June 26, 2014 at 5:00 PM | Permalink | Reply

GZL

Hi,
I am intending to challenge myself in converting the command-line version of volatility to GUI version. Am I hesitating to using Python, C or Perl? Do you have any advice?
Best regards

Posted June 30, 2014 at 5:49 PM | Permalink | Reply

m

Since Volatility is written in Python I'm going to suggest Python as being the most straightforward.
Writing one in C or Perl will certainly be more challenging, if that's what you're going for.