Tag Archives: forensics

by

srch_strings_wrap — history and examples

1 comment

Categories: Forensics, Tags: , ,

I recently took SANS FOR508 with Rob Lee in Las Vegas.  It was a great class and I highly recommend it to everyone interested in Digital Forensics.  I’m new to forensics and learned so much from the class.

One of the topics covered is using the srch_strings command from the Sleuth Kit on a filesystem image to obtain not just the strings within the file, but also the byte offset of each string.  This is done using the “-t d” option:

$ srch_strings -a -t d sda1.img
 7208 vmlinuz-2.2.14-5.0
 7336 System.map-2.2.14-5.0smp
 7464 module-info-2.2.14-5.0
 262176 lost+found
 262196 kernel.h
 262212 System.map-2.2.14-5.0
 262244 module-info-2.2.14-5.0

Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in.  For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024:

Block  String
 7     vmlinuz-2.2.14-5.0
 7     System.map-2.2.14-5.0smp
 7     module-info-2.2.14-5.0
 256   lost+found
 256   kernel.h
 256   System.map-2.2.14-5.0
 256   module-info-2.2.14-5.0

During class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:

$ strings -a -t d sda1.img | tee file | awk '{print $1"/1024"}' | bc | paste - file
7       7208 vmlinuz-2.2.14-5.0
7       7336 System.map-2.2.14-5.0smp
7       7464 module-info-2.2.14-5.0
256     262176 lost+found
256     262196 kernel.h
256     262212 System.map-2.2.14-5.0
256     262244 module-info-2.2.14-5.0

Eventually, I got tired of typing that out and turned it into a script after getting back home after class.  I emailed Rob Lee about it and he put me in touch with Hal Pomeranz, who had been working on a similar script.  Hal and I had some other ideas of where this could be taken, and that’s what eventually became srch_strings_wrap.

In a previous post, I gave an overview of the command line options and functionality, so now I’d just like to show some examples. Continue reading →

by

srch_strings_wrap — forensics tool

No comments yet

Categories: Forensics, Tags: ,

I wrote a tool called srch_strings_wrap (available at GitHub – https://github.com/superponible/Search-Strings-Extension) that extends the functionality of the srch_strings command in the Sleuth Kit.  The idea came from repeatedly having to determine the block that corresponded to the results of srch_strings during FOR508.  I contacted Rob Lee about what I had written and he put me in touch with Hal Pomeranz, who had a similar script and some other ideas.

There are other scripts in my repository that are previous versions of this script, but they are not as fully functional as srch_strings_wrap.

The original srch_strings will pull out the strings within a file and gives the byte offset if requested.  My script srch_strings_wrap will obtain the byte offset, but also will use that byte offset to determine, if available, the block, inode, and filename that string is in.  Several command line options exists for filtering results, modifying output, and automatically carving matched files/inodes/blocks.

Currently, the command line options include:

If no special options are given, srch_strings_wrap can be used in place of srch_strings.

The blocksize of the filesystem can be specified (-b) or automatically determined from the image (-d).  Multiple filesystem images can be given as arguments, but only one full disk image can be specified.  The output can be grouped by file/inode/block (-O) or printed out line by line (default).  It supports custom delimiters (-F) and can output to CSV (-C).  Output can be written, if desired with a header (-H), to a file (-w), to standard out (default), or not at all (-N).  Grep terms can be passed on the command line (-g) or in a dirty word file (-G), with case insensitivity (-i).

If full lookups to the filename layer are not needed, the level can be specified to decrease runtime: byte (-l0, no different from “srch_strings -t d”), block (-l1), inode (-l2), and filename (-l3, the default).  There is an option to autocarve (-A) which will carve out all matching strings at the highest level available.

And if multiple grep searches will be conducted, “srch_strings -a -t d fs.img > output.asc” can be run on an image to capture all the strings and save the output to a file, then -P can be used to accept the output of that file piped in (“cat output.asc | srch_strings_wrap -P -I fs.img“).

See my overview post for some more examples and a little history on the tool.  It should be available in future versions of the SANS Investigative Forensics Toolkit (SIFT) Workstation.

* Link to this post: http://blog.superponible.com/2011/11/17/srch_strings_wrap-forensics-tool/
* Link to the examples: http://blog.superponible.com/2011/11/17/srch_strings_wrap-history-and-examples/
* Link to GitHub repository: https://github.com/superponible/Search-Strings-Extension