Here is some of the output from strings.
-1738997801 tornkit version !
-1738862527 tornkit
-1738862552 psyBNC
-1738858480 3 psyBNC
-1738854381 psyBNC
I'm ignoring the "-" and dividing those numbers by the block size (4096) to get the data block number and when I run it through dcat against the dd image I'm not getting any output. However if I use dcat on a strings number that doesn't have a - by it, it works. Any ideas on what is going on?
This time I used autopsy to create the strings and it has created different results, which work. Anyone know the command autopsy uses?
Also I've created known good hashes and want to exclude them in autopsy, but I haven't been able to find out how. Anyone know?
What does your strings command look like that you're using to create your file?
–John
strings.exe -t d image.dd > image.str
I used autopsy and it works so that's good even though the only difference is autopsy used the -a option…
I'm now trying to exclude known good files using autopsy but don't see that option anywhere. Do you know how to do that?
Unfortunately I don't. The '-a' option tells it to scan the entire file instead of just the data portion of the file, which explains why the different results under autopsy versus the command line.
strings.exe -t d image.dd > image.str
I used autopsy and it works so that's good even though the only difference is autopsy used the -a option…
Okay, admittedly it's been awhile since I used Autopsy, so I may be off base here, but Autopsy will work the strings command on a selected volume. Unless your dd image in the command above is a volume (partition) image, then you are running it on a whole disk, not a volume.
Again, I caveat that with the fact that I have no idea if Autopsy runs strings on the disk (or has that option).
If that's not the culprit (seems to easy), what about character encoding? Autopsy (IIRC) searches for 16 bit little endian ordering using strings. I think you need to pass "-e l" to your command line to get that. Maybe that's the difference.
Again, I may be wrong…My AutopsyFu has grown weak.
strings.exe -t d image.dd > image.str
I used autopsy and it works so that's good even though the only difference is autopsy used the -a option…
Okay, admittedly it's been awhile since I used Autopsy, so I may be off base here, but Autopsy will work the strings command on a selected volume. Unless your dd image in the command above is a volume (partition) image, then you are running it on a whole disk, not a volume.
Again, I caveat that with the fact that I have no idea if Autopsy runs strings on the disk (or has that option).
If that's not the culprit (seems to easy), what about character encoding? Autopsy (IIRC) searches for 16 bit little endian ordering using strings. I think you need to pass "-e l" to your command line to get that. Maybe that's the difference.
Again, I may be wrong…My AutopsyFu has grown weak.
Yeah I got it working by using the "-a -t d" options… Now I'm trying to exclude known good files. Do you know how to do that?
Audio,
I am not sure were it is on your system but autopsy will log all the commands that the GUI runs. I am pretty sure the file is called *.exec.log, the * is the case agent name. This also depends on where your output file is located. Just do a find / -name *.exec.log and see what you get. This will give you a detailed list of all the commands and switches that were run and agiast what file.
On a side note, I usually run strings –radix= imagename. The divide that number by 4096 or what ever the block size is get the block location.
Hope that helps.
Mark