During FOR508, I kept getting tired of having to divide the byte location of the string from the output of srch_strings by the block size. I figured out a way to use bc on the command line on a case-by-case basis, but figured it'd be easier to just have a couple scripts that could output in that format. The original result was srch_strings_blk, srch_strings_pipe, and srch_strings_wrap.sh. Rob Lee put me in touch with Hal Pomeranz who had a similar idea and we talked about some additional things to include in the srch_strings_wrap.sh. I decided to conver the script to perl and added some new functionality. Those changes became the current srch_strings_wrap which aims to be a complete wrapper around srch_strings. - Dave Lassalle, @superponible, dave@superponible.com ============================================================================== srch_strings_wrap This script is a wrapper around the regular srch_strings. It will pass all arguments to srch_strings and execute it normally. The -b or -d option must be given to enable additional functionality, otherwise it will just run liek the normal srch_strings. If the -b option is specified, it will calculate the block that matched using the block size given. If -d is used, it will use fsstat on the file argument to determine the block size. If -b or -d is specified but "-t d" is not used, then an error will be displayed. Files can be specified, otherwise stdin is used for input. Other arguments (-H, -F, -C, -O) can be used to modify the output. See the usage statement by running with -h. Example: # srch_strings_wrap -d -a -t d -e l filesystem.img OR # srch_strings_wrap -b 4096 -a -t -d -e l filesystem.img This would be equivalent to # srch_strings -a -t d -e l filesystem.img | srch_strings_pipe -b 4096 and # srch_strings -a -t d -e l filesystem.img > strings.out # srch_strings_blk -i filesystem.img -s strings.out ============================================================================== srch_strings_blk This script requires a file as input (-s) which is the output of a srch_strings command run with the "-t d" option to produce the byte location of the string in the original file. Additionally, if the blocksize is known, specify it with -b. Otherwise, the original image file can be specified with -i and the script will determine the block size using fsstat Example: # srch_strings -a -t d -e l filesystem.img > strings.out # srch_strings_blk -i filesystem.img -s strings.out OR # srch_strings_blk -b 4096 -s strings.out The script will output to stdout or to the file specified with -o. Note, if -b and -i are both specified, the argument given in -b will be used. ============================================================================== srch_strings_pipe This script can be used in a pipeline following srch_strings. It only takes the -b argument for the block size and the -o argument for the optional output file. Example: # srch_strings -a -t d -e l filesystem.img | srch_strings_pipe -b 4096 ============================================================================== srch_strings_wrap.sh This script is a wrapper around the regular srch_strings. It will pass all arguments to srch_strings and execute it normally. If the -b option is specified, after running srch_strings, it will calculate the block like the other scripts do. If -b is not specified, srch_strings will run as it normally does. If -b is specified but "-t d" is not used, then an error will be displayed. Files can be specified, otherwise stdin is used for input. Example: # srch_strings_wrap -b 4096 -a -t -d -e l filesystem.img This would be equivalent to # srch_strings -a -t d -e l filesystem.img | srch_strings_pipe -b 4096 and # srch_strings -a -t d -e l filesystem.img > strings.out # srch_strings_blk -i filesystem.img -s strings.out
superponible/Search-Strings-Extension
srch_strings is a useful tool in digital forensics. Using the "-t d" option will give a byte location for the string. This repository contains two scripts that automatically map the byte location to the filesystem block containing the string.
Perl