SANS Digital Forensics and Incident Response Blog: Tag - grep

Strings, Strings, Are Wonderful Things

One of the basics of doing forensics involves gathering the ASCII and Unicode strings in the file system and searching for keywords. Using Linux we can gather the strings for both ASCII and Unicode using the strings command.

To Gather the ASCII Strings

# strings -td /dev/sdb > sdb.ascii

Note: The -td in the above line tells strings to print the offset in decimal for the line.

To Gather the Unicode Strings

# strings -td -el /dev/sdb > sdb.unicode

Note: The -el option will have the strings command handle 16-bit little endian encoding. Strings can handle other types of encoding such as 32-bit big/little endian. See the man page on strings and the -e option.

Below is a sample output from the command:

192301972 This field is deprecated. Deprecated components of Microsoft

... Continue reading Strings, Strings, Are Wonderful Things

Missed It By That Much!

Hal Pomeranz, Deer Run Associates

One primitive forensic technique I show my students in my SANS Sec506 class is the tried and true method of using grep to display byte offsets of "strings of interest" found in a disk image. For example, I have my students go looking for "love" in the file system of the VMware image we use in class:

# grep -abi 'love' /dev/sda6
452925733:# This is a comment. I love comments.

Once you have the byte offsets from grep, all you have to do is divide by the block size of the file system (hint: use fsstat) to get the number of the block that the string resides in. In the example, /dev/sda6 is a small file system that only uses 1024 byte


Bring Me My Pipe

[caption id="attachment_298" align="alignleft" width="180" caption="Pipes photo courtesy of tanakawho at "]//[/caption]

Often used and under appreciated, the pipe feature in unix/linux/dos has to be my favorite tool in incident response and forensics.

Need the device at /dev/sda imaged with progress indicators and an md5sum?

dd if=/dev/sda| pipebench | tee sda.dd | md5sum >sda.md5.txt

Need a summary of the unique hosts from Internet Explorer's index.dat history file?

pasco index.dat | grep -v 'javascript\\:' | egrep -i 'ftp|http' | sort -k 4 | awk '{print $3}' | awk