SANS Digital Forensics and Incident Response Blog: Tag - perl forensics word search

Perl and Forensics: Keyword searches and Toad (Quest Software)

Here are some more examples of using Perl for keyword searches from the output of the string command (strings -td {blkls file}) of an image.

I had a text file (Toad Connections.ini file) that consisted of the same thing over and over again. Since the file type was ASCII text without any headers or footers, there was not an easy way to cut it out of unallocated space. Why not let Perl do the hard work.

A simplified version of the contents:

[LOGIN 1]
SERVER=test.box.com
USER=joesomebody
PASSWORD=dfsdafj^&*)(&kadf*&^09dafj234

I did a quick search for LOGIN using grep. Grep came back with over 1000 hits, which is far too many to recover by hand. Using Perl, I can recover those lines I want. The resulting Perl script is below.

#!/usr/bin/perl

$data_file="image.dd.slack.asc";
$out_file="login_srch_slack.out";

# Opens up the file to be read in
open(IFH,

... Continue reading Perl and Forensics: Keyword searches and Toad (Quest Software)