SANS Digital Forensics and Incident Response Blog: Tag - ascii

Strings, Strings, Are Wonderful Things

One of the basics of doing forensics involves gathering the ASCII and Unicode strings in the file system and searching for keywords. Using Linux we can gather the strings for both ASCII and Unicode using the strings command.

To Gather the ASCII Strings

# strings -td /dev/sdb > sdb.ascii

Note: The -td in the above line tells strings to print the offset in decimal for the line.

To Gather the Unicode Strings

# strings -td -el /dev/sdb > sdb.unicode

Note: The -el option will have the strings command handle 16-bit little endian encoding. Strings can handle other types of encoding such as 32-bit big/little endian. See the man page on strings and the -e option.

Below is a sample output from the command:

192301972 This field is deprecated. Deprecated components of Microsoft

... Continue reading Strings, Strings, Are Wonderful Things