I recently took SANS FOR508 with Rob Lee in Las Vegas. It was a great class and I highly recommend it to everyone interested in Digital Forensics. I’m new to forensics and learned so much from the class.
One of the topics covered is using the srch_strings command from the Sleuth Kit on a filesystem image to obtain not just the strings within the file, but also the byte offset of each string. This is done using the “-t d” option:
$ srch_strings -a -t d sda1.img 7208 vmlinuz-2.2.14-5.0 7336 System.map-2.2.14-5.0smp 7464 module-info-2.2.14-5.0 262176 lost+found 262196 kernel.h 262212 System.map-2.2.14-5.0 262244 module-info-2.2.14-5.0
Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in. For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024:
Block String 7 vmlinuz-2.2.14-5.0 7 System.map-2.2.14-5.0smp 7 module-info-2.2.14-5.0 256 lost+found 256 kernel.h 256 System.map-2.2.14-5.0 256 module-info-2.2.14-5.0
During class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:
$ strings -a -t d sda1.img | tee file | awk '{print $1"/1024"}' | bc | paste - file
7 7208 vmlinuz-2.2.14-5.0
7 7336 System.map-2.2.14-5.0smp
7 7464 module-info-2.2.14-5.0
256 262176 lost+found
256 262196 kernel.h
256 262212 System.map-2.2.14-5.0
256 262244 module-info-2.2.14-5.0
Eventually, I got tired of typing that out and turned it into a script after getting back home after class. I emailed Rob Lee about it and he put me in touch with Hal Pomeranz, who had been working on a similar script. Hal and I had some other ideas of where this could be taken, and that’s what eventually became srch_strings_wrap.
In a previous post, I gave an overview of the command line options and functionality, so now I’d just like to show some examples. Continue reading →