SANS Digital Forensics and Incident Response Blog: Tag - strings

Digital Forensic SIFTing: String Searching and File Carving using srch_strings_wrap

The latest version of the SIFT 2.12contains a few scripts I wrote, and Rob asked me to write a post for the blog going over their functionality. The scripts add on to the functionality provided by The Sleuth Kit's srch_strings to provide additional information on string matches and automatically carve out matching files or blocks. … Continue reading Digital Forensic SIFTing: String Searching and File Carving using srch_strings_wrap

Fun with FIFOs (Part II): Output Splitting

Hal Pomeranz, Deer Run Associates

Several months ago now, I wrote up a little article on using FIFOs to trick the script command into writing output over the network. But there are other neat hacks you can do with FIFOs, and I want to show you one right now that can save you lots of time.

Suppose you had a disk image and you wanted to pull out both the ASCII and Unicode strings from a specific partition. The classic approach is to read the partition twice- once to gather the ASCII strings and once to pull out the Unicode. But on a large partition, reading the image even once can take a huge amount of time. The good news is we can use some Unix FIFO magic along with the frequently overlooked tee


Strings, Strings, Are Wonderful Things

One of the basics of doing forensics involves gathering the ASCII and Unicode strings in the file system and searching for keywords. Using Linux we can gather the strings for both ASCII and Unicode using the strings command.

To Gather the ASCII Strings

# strings -td /dev/sdb > sdb.ascii

Note: The -td in the above line tells strings to print the offset in decimal for the line.

To Gather the Unicode Strings

# strings -td -el /dev/sdb > sdb.unicode

Note: The -el option will have the strings command handle 16-bit little endian encoding. Strings can handle other types of encoding such as 32-bit big/little endian. See the man page on strings and the -e option.

Below is a sample output from the command:

192301972 This field is deprecated. Deprecated components of Microsoft

... Continue reading Strings, Strings, Are Wonderful Things

Perl and Forensics

Perl is a wonderful tool for forensics. With Perl I can write a short script that can do a variety of repetitive tasks in a short amount of time. I find that if I combine Perl scripts to process my command-line output, I can save myself large amounts of time during an investigation. Plus Perl can be used as a filter for data in that after running the script, I can feed the data into Autopsy or a hexeditor.

In a recent case I was working on, I needed to retrieve several keywords from the unallocated space on a NTFS partition and then review the clusters they were located in with Autopsy. Perl came to the rescue. After running a "strings -td | grep -i -f {keyword file} > keywords.asc" on the blkls file, I used the cut command to trim everything after the offsets. Next, I had to divide the offsets by 4096, as that was the block size, and send the result to blkcalc to get the actual cluster my keyword was located in. With 200 clusters to look at, I did not want to do this by

... Continue reading Perl and Forensics