After a few emails about some additional functionality, I switched the code over to perl and created what became the current srch_strings_wrap. He put me in touch with Hal Pomeranz, who had been talking about doing something similar. They can be found in my GitHub and in SIFT and were what I initially came up with and presented to Rob. These scripts write to temporary files and definitely aren't the best or most efficient. If the -b is given, it will print out the block as the previous two scripts do: If that is not given, it will behave exactly like srch_strings. It accepts the -b argument to specify the blocksize. The last original script srch_strings_wrap.sh is a rudimentary version of the current srch_strings_wrap. Instead, you can point to the original image the strings dump is from: With this command, I built in a check for the blocksize so it doesn't need to be specified. The srch_strings_blk command is very similar, but instead runs against the output of srch_strings which has been previously dumped to a file. If you're used to running srch_strings and just wanted to get the block for all the matches, you could use srch_strings_pipe: That script turned into the three initial shell scripts I created, which I'll give a brief overview of below. For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024, and drop the remainder to get the block: Block Stringĭuring class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:Įventually, I got tired of typing that out and turned it into a script when I got back home. Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in. For those familiar with the class, one of the areas covered is string searching through an image by using srch_strings from the Sleuth Kit to obtain the byte offset of a matching string. I recently took SANS FOR508 with Rob Lee in Las Vegas. Read on for more information on how to use these scripts. While they can be found in SIFT, you can also get them from my GitHub repository. srch_strings_wrap (note that in SIFT 2.12, this file's permissions will need to be changed to 755 there are also a couple bugs in the SIFT version: one affecting auto-carving and the other grepping, so be sure to download the latest version).srch_strings_wrap.sh (the initial version of the perl script srch_strings_wrap).The scripts are located in /usr/local/bin and are as follows: The scripts add on to the functionality provided by The Sleuth Kit's srch_strings to provide additional information on string matches and automatically carve out matching files or blocks. The latest version of the SIFT 2.12 contains a few scripts I wrote, and Rob asked me to write a post for the blog going over their functionality. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |