I wrote a tool called srch_strings_wrap (available at GitHub – https://github.com/superponible/Search-Strings-Extension) that extends the functionality of the srch_strings command in the Sleuth Kit.  The idea came from repeatedly having to determine the block that corresponded to the results of srch_strings during FOR508.  I contacted Rob Lee about what I had written and he put me in touch with Hal Pomeranz, who had a similar script and some other ideas.

There are other scripts in my repository that are previous versions of this script, but they are not as fully functional as srch_strings_wrap.

The original srch_strings will pull out the strings within a file and gives the byte offset if requested.  My script srch_strings_wrap will obtain the byte offset, but also will use that byte offset to determine, if available, the block, inode, and filename that string is in.  Several command line options exists for filtering results, modifying output, and automatically carving matched files/inodes/blocks.

Currently, the command line options include:

If no special options are given, srch_strings_wrap can be used in place of srch_strings.

The blocksize of the filesystem can be specified (-b) or automatically determined from the image (-d).  Multiple filesystem images can be given as arguments, but only one full disk image can be specified.  The output can be grouped by file/inode/block (-O) or printed out line by line (default).  It supports custom delimiters (-F) and can output to CSV (-C).  Output can be written, if desired with a header (-H), to a file (-w), to standard out (default), or not at all (-N).  Grep terms can be passed on the command line (-g) or in a dirty word file (-G), with case insensitivity (-i).

If full lookups to the filename layer are not needed, the level can be specified to decrease runtime: byte (-l0, no different from “srch_strings -t d”), block (-l1), inode (-l2), and filename (-l3, the default).  There is an option to autocarve (-A) which will carve out all matching strings at the highest level available.

And if multiple grep searches will be conducted, “srch_strings -a -t d fs.img > output.asc” can be run on an image to capture all the strings and save the output to a file, then -P can be used to accept the output of that file piped in (“cat output.asc | srch_strings_wrap -P -I fs.img“).

See my overview post for some more examples and a little history on the tool.  It should be available in future versions of the SANS Investigative Forensics Toolkit (SIFT) Workstation.

* Link to this post: http://blog.superponible.com/2011/11/17/srch_strings_wrap-forensics-tool/
* Link to the examples: http://blog.superponible.com/2011/11/17/srch_strings_wrap-history-and-examples/
* Link to GitHub repository: https://github.com/superponible/Search-Strings-Extension