Log in

Search All The Strings! - A Geek Raised by Wolves [entries|archive|friends|userinfo]

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

Search All The Strings! [Jul. 18th, 2013|09:31 pm]

Here's something which is both simple and useful regarding strings. Search all the strings!

For better or worse, the 'strings' program varies widely between operating systems. It flat out doesn't come with Windows, on Linux doesn't search the whole file or for Unicode strings by default, and on OS X simply can't search Unicode strings. What is a forensic examiner to do?

Here's a little wrapper script around the srch_strings program from the Sleuth Kit. It ensures that you get both ASCII and Unicode strings together, search the whole file, and get consistent results on both Linux and OS X. Special thanks to chort for the idea to use srch_strings in the first place. (Sorry Windows users, but there is no pre-built srch_strings binary, which means I can't write a batch script around it.)

To use the script, copy the text below to a new file. I call my mine allstrings.sh. Make it executable

$ chmod 755 allstrings.sh

and then put it in a directory in your PATH. Places like ~/bin or /usr/local/bin should work.

You may need to update the script for your system depending on where srch_strings is installed. You can determine that location using the which command:

$ which srch_strings

If there's no output, you don't have srch_strings installed. See http://www.sleuthkit.org/sleuthkit/download.php to get it directly or, on OS X, get it through MacPorts, http://macports.org/.

If the output is not /opt/local/bin/srch_strings, replace that value in the script with the value you get.

Here's a sample of the script in action. I'm using /usr/bin/awk as a source of both Unicode and ASCII strings. I'm running srch_strings on the whole file, and then searching the whole file for Unicode strings. Finally, I use my script on awk.

$ srch_strings -a /usr/bin/awk | wc -l
$ srch_strings -a -e l /usr/bin/awk | wc -l
$ allstrings.sh /usr/bin/awk | wc -l 

When searching the entire file, the srch_strings program found 929 ASCII strings and then separately187 Unicode strings. Adding these together, 929+187 = 1116, or the number of strings found with the allstrings.sh script.

Although this script can process multiple files on the command line, it can't process standard input.

Okay! Enough talk. Here's the script:


for FILE in "$@"

From: ext_2090038
2013-07-31 11:48 am (UTC)
The use of "strings" in forensics needs to die. It is a horrible, awful, terrible hack that ignores... well, just about _every_ possible nuance of how data exists on disk.

Bulk_extractor 1.4 will soon be released, and it will search for both UTF-8 and UTF-16LE versions of the provided patterns.
(Reply) (Thread)