Skip to content

srch_strings is a useful tool in digital forensics. Using the "-t d" option will give a byte location for the string. This repository contains two scripts that automatically map the byte location to the filesystem block containing the string.

master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

README

During FOR508, I kept getting tired of having to divide the byte location of
the string from the output of srch_strings by the block size. I figured
out a way to use bc on the command line on a case-by-case basis, but figured
it'd be easier to just have a couple scripts that could output in that
format. The original result was srch_strings_blk, srch_strings_pipe, and
srch_strings_wrap.sh.

Rob Lee put me in touch with Hal Pomeranz who had a similar idea and we
talked about some additional things to include in the srch_strings_wrap.sh.
I decided to conver the script to perl and added some new functionality.
Those changes became the current srch_strings_wrap which aims to be a complete
wrapper around srch_strings.

- Dave Lassalle, @superponible, dave@superponible.com

==============================================================================

srch_strings_wrap

This script is a wrapper around the regular srch_strings. It will pass all
arguments to srch_strings and execute it normally. The -b or -d option
must be given to enable additional functionality, otherwise it will just run
liek the normal srch_strings. If the -b option is specified, it will
calculate the block that matched using the block size given. If -d is used,
it will use fsstat on the file argument to determine the block size.
If -b or -d is specified but "-t d" is not used, then an error will be
displayed.

Files can be specified, otherwise stdin is used for input.

Other arguments (-H, -F, -C, -O) can be used to modify the output. See the usage
statement by running with -h.

Example:

# srch_strings_wrap -d -a -t d -e l filesystem.img
OR
# srch_strings_wrap -b 4096 -a -t -d -e l filesystem.img

This would be equivalent to

# srch_strings -a -t d -e l filesystem.img | srch_strings_pipe -b 4096

and

# srch_strings -a -t d -e l filesystem.img > strings.out
# srch_strings_blk -i filesystem.img -s strings.out

==============================================================================

srch_strings_blk

This script requires a file as input (-s) which is the output of a
srch_strings command run with the "-t d" option to produce the byte
location of the string in the original file. Additionally, if the
blocksize is known, specify it with -b. Otherwise, the original image file
can be specified with -i and the script will determine the block size
using fsstat

Example:

# srch_strings -a -t d -e l filesystem.img > strings.out
# srch_strings_blk -i filesystem.img -s strings.out
OR
# srch_strings_blk -b 4096 -s strings.out

The script will output to stdout or to the file specified with -o.

Note, if -b and -i are both specified, the argument given in -b will be used.

==============================================================================

srch_strings_pipe

This script can be used in a pipeline following srch_strings. It only
takes the -b argument for the block size and the -o argument for the optional
output file.

Example:

# srch_strings -a -t d -e l filesystem.img | srch_strings_pipe -b 4096

==============================================================================

srch_strings_wrap.sh

This script is a wrapper around the regular srch_strings. It will pass all
arguments to srch_strings and execute it normally. If the -b option is
specified, after running srch_strings, it will calculate the block like the
other scripts do. If -b is not specified, srch_strings will run as it
normally does. If -b is specified but "-t d" is not used, then an
error will be displayed.

Files can be specified, otherwise stdin is used for input.

Example:

# srch_strings_wrap -b 4096 -a -t -d -e l filesystem.img

This would be equivalent to

# srch_strings -a -t d -e l filesystem.img | srch_strings_pipe -b 4096

and

# srch_strings -a -t d -e l filesystem.img > strings.out
# srch_strings_blk -i filesystem.img -s strings.out

About

srch_strings is a useful tool in digital forensics. Using the "-t d" option will give a byte location for the string. This repository contains two scripts that automatically map the byte location to the filesystem block containing the string.

Resources

Releases

No releases published

Packages

No packages published