homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Strings, Strings, Are Wonderful Things
Keven Murphy

Strings, Strings, Are Wonderful Things

May 5, 2009

One of the basics of doing forensics involves gathering the ASCII and Unicode strings in the file system and searching for keywords. Using Linux we can gather the strings for both ASCII and Unicode using the strings command.

To Gather the ASCII Strings

# strings -td /dev/sdb > sdb.ascii

Note: The "-td" in the above line tells strings to print the offset in decimal for the line.

To Gather the Unicode Strings

# strings -td -el /dev/sdb > sdb.unicode

Note: The "-el" option will have the strings command handle 16-bit little endian encoding. Strings can handle other types of encoding such as 32-bit big/little endian. See the man page on strings and the -e option.

Below is a sample output from the command:

192301896     <member name="F:Microsoft.DirectX.DirectPlay.Address.FlowControlNone">
192301972       <summary>This field is deprecated. Deprecated components of Microsoft DirectX 9.0 for Managed Code are considered obsolete. While these components are still supported in this release of DirectX 9.0 for Managed Code, they may be removed in the future. When writing new applications, you should avoid using these deprecated components. When modifying existing applications, you are strongly encouraged to remove any dependency on these components.Deprecated.</summary>
192302446     </member>
192302461     <member name="F:Microsoft.DirectX.DirectPlay.Address.FlowControlRtsDtr">
192302539       <summary>This field is deprecated. Deprecated components of Microsoft DirectX 9.0 for Managed Code are considered obsolete. While these components are still supported in this release of DirectX 9.0 for Managed Code, they may be removed in the future. When writing new applications, you should avoid using these deprecated components. When modifying existing applications, you are strongly encouraged to remove any dependency on these components.Deprecated.</summary>
192303013     </member>
192303028     <member name="F:Microsoft.DirectX.DirectPlay.Address.FlowControlXonXoff"SZDD

Now that we have the output we can use a variety of tools to search for keywords in the output files. Some examples are:

grep -i keyword sdb.ascii > sdb.ascii.keyword

    "-i" tells grep to ignore case. This is a pretty useful option as we do not always know how the keyword will be laid out in reference to case.

    grep -i -f keywords.txt sdb.ascii > sdb.ascii.keywords

      The "-f" option in the above command allows you to create a keyword file with all of keywords you are looking for.

      egrep -color -i -f keywords.txt sdb.ascii

        Egrep is equivalent to doing a "grep -E". It allows for extend regular expressions, which in itself is another topic. The key thing right now to pick up on the above command is the -color option. This will print any matching keyword in a different color. On my Fedora systems, the keyword is in red. One thing to note about this is, if you pipe egrep output to another command or redirect the output to a file, you will lose the color on matching text. It is a nice command to get a keyword to pop out for doing a quick search.

        • Perl programs like https://blogs.sans.org/computer-forensics/2008/12/03/perl-and-forensics/ and http://www.citadelsystems.net/index.php/forensics-tools/36-word-search/53-wordsearchpl

        Offset Math

        Sometimes you want to take a closer look at the clusters/blocks for where your keyword was found. Using the offsets listed in the strings output you can quickly figure out where the keyword is in the drive or file. For example:

        192303028     <member name="F:Microsoft.DirectX.DirectPlay.Address.FlowControlXonXoff"SZDD

        The offset here is 192303028 for our DirectX keyword. For this NTFS file system, the cluster size is 4096 bytes. To figure out which cluster DirectX is in do:

        Offset / cluster size or

        192303028 / 4096 = 46948.981445312 or cluster 46948

        If you wanted the sector where the keyword is located:

        192303028 / 512 = 375591.8515625 or sector 375591

        Figuring Out Cluster Size

        You can use the "ntfsinfo" command to figure out the cluster size for NTFS file system. To do this use:

        # ntfsinfo --mft   /dev/sda1
        Volume Information
        Name of device: /dev/sda1
        Device state: 11
        Volume Name:
        Volume State: 1
        Volume Version: 3.1
        <strong>Sector Size: 512
        Cluster Size: 4096</strong>
        Volume Size in Clusters: 13181323

        In the above output in bold, the command has listed the sector size and the cluster size.

        For Linux the block size can be found with the "tune2fs" command. I have piped it out to grep as the output can be lengthy.

        # tune2fs -l /dev/sda2 | grep Block
        Block count:              12799788
        <strong>Block size:               4096</strong>
        Blocks per group:         32768

        Again the block size is in bold.

        There you have it, the basics of using the strings command and how to calculate the cluster/block/sector for where the keyword can be found.

        Keven Murphy, GCFA Gold #24, is the Senior Forensics Specialist for a Fortune 100 defense contractor.

        Share:
        TwitterLinkedInFacebook
        Copy url Url was copied to clipboard
        Subscribe to SANS Newsletters
        Receive curated news, vulnerabilities, & security awareness tips
        United States
        Canada
        United Kingdom
        Spain
        Belgium
        Denmark
        Norway
        Netherlands
        Australia
        India
        Japan
        Singapore
        Afghanistan
        Aland Islands
        Albania
        Algeria
        American Samoa
        Andorra
        Angola
        Anguilla
        Antarctica
        Antigua and Barbuda
        Argentina
        Armenia
        Aruba
        Austria
        Azerbaijan
        Bahamas
        Bahrain
        Bangladesh
        Barbados
        Belarus
        Belize
        Benin
        Bermuda
        Bhutan
        Bolivia
        Bonaire, Sint Eustatius, and Saba
        Bosnia And Herzegovina
        Botswana
        Bouvet Island
        Brazil
        British Indian Ocean Territory
        Brunei Darussalam
        Bulgaria
        Burkina Faso
        Burundi
        Cambodia
        Cameroon
        Cape Verde
        Cayman Islands
        Central African Republic
        Chad
        Chile
        China
        Christmas Island
        Cocos (Keeling) Islands
        Colombia
        Comoros
        Cook Islands
        Costa Rica
        Croatia (Local Name: Hrvatska)
        Curacao
        Cyprus
        Czech Republic
        Democratic Republic of the Congo
        Djibouti
        Dominica
        Dominican Republic
        East Timor
        East Timor
        Ecuador
        Egypt
        El Salvador
        Equatorial Guinea
        Eritrea
        Estonia
        Ethiopia
        Falkland Islands (Malvinas)
        Faroe Islands
        Fiji
        Finland
        France
        French Guiana
        French Polynesia
        French Southern Territories
        Gabon
        Gambia
        Georgia
        Germany
        Ghana
        Gibraltar
        Greece
        Greenland
        Grenada
        Guadeloupe
        Guam
        Guatemala
        Guernsey
        Guinea
        Guinea-Bissau
        Guyana
        Haiti
        Heard And McDonald Islands
        Honduras
        Hong Kong
        Hungary
        Iceland
        Indonesia
        Iraq
        Ireland
        Isle of Man
        Israel
        Italy
        Jamaica
        Jersey
        Jordan
        Kazakhstan
        Kenya
        Kiribati
        Korea, Republic Of
        Kosovo
        Kuwait
        Kyrgyzstan
        Lao People's Democratic Republic
        Latvia
        Lebanon
        Lesotho
        Liberia
        Liechtenstein
        Lithuania
        Luxembourg
        Macau
        Macedonia
        Madagascar
        Malawi
        Malaysia
        Maldives
        Mali
        Malta
        Marshall Islands
        Martinique
        Mauritania
        Mauritius
        Mayotte
        Mexico
        Micronesia, Federated States Of
        Moldova, Republic Of
        Monaco
        Mongolia
        Montenegro
        Montserrat
        Morocco
        Mozambique
        Myanmar
        Namibia
        Nauru
        Nepal
        Netherlands Antilles
        New Caledonia
        New Zealand
        Nicaragua
        Niger
        Nigeria
        Niue
        Norfolk Island
        Northern Mariana Islands
        Oman
        Pakistan
        Palau
        Palestine
        Panama
        Papua New Guinea
        Paraguay
        Peru
        Philippines
        Pitcairn
        Poland
        Portugal
        Puerto Rico
        Qatar
        Reunion
        Romania
        Russian Federation
        Rwanda
        Saint Bartholemy
        Saint Kitts And Nevis
        Saint Lucia
        Saint Martin
        Saint Vincent And The Grenadines
        Samoa
        San Marino
        Sao Tome And Principe
        Saudi Arabia
        Senegal
        Serbia
        Seychelles
        Sierra Leone
        Sint Maarten
        Slovakia
        Slovenia
        Solomon Islands
        South Africa
        South Georgia and the South Sandwich Islands
        South Sudan
        Sri Lanka
        St. Helena
        St. Pierre And Miquelon
        Suriname
        Svalbard And Jan Mayen Islands
        Swaziland
        Sweden
        Switzerland
        Taiwan
        Tajikistan
        Tanzania
        Thailand
        Togo
        Tokelau
        Tonga
        Trinidad And Tobago
        Tunisia
        Turkey
        Turkmenistan
        Turks And Caicos Islands
        Tuvalu
        Uganda
        Ukraine
        United Arab Emirates
        United States Minor Outlying Islands
        Uruguay
        Uzbekistan
        Vanuatu
        Vatican City
        Venezuela
        Vietnam
        Virgin Islands (British)
        Virgin Islands (U.S.)
        Wallis And Futuna Islands
        Western Sahara
        Yemen
        Yugoslavia
        Zambia
        Zimbabwe

        By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

        Tags:
        • Digital Forensics and Incident Response

        Related Content

        Blog
        CTI_Blog_Image.png
        Incident Response & Threat Hunting, Digital Forensics and Incident Response
        January 23, 2023
        A Visual Summary of SANS CTI Summit 2023
        Check out these graphic recordings created in real-time throughout the event for SANS Cyber Threat Intelligence Summit 2023
        370x370-person-placeholder.png
        Alison Kim
        read more
        Blog
        FOR577.png
        Digital Forensics and Incident Response
        September 22, 2022
        NEW SANS DFIR COURSE IN DEVELOPMENT | FOR577: LINUX Incident Response & Analysis
        FOR577: Linux Incident Response & Analysis course teaches how Linux systems work and how to respond and investigate attacks effectively.
        Viv_Ross_370x370.png
        Viviana Ross
        read more
        Blog
        Untitled_design-43.png
        Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
        December 8, 2021
        Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
        They’re virtual. They’re global. They’re free.
        370x370-person-placeholder.png
        Emily Blades
        read more
        • Register to Learn
        • Courses
        • Certifications
        • Degree Programs
        • Cyber Ranges
        • Job Tools
        • Security Policy Project
        • Posters & Cheat Sheets
        • White Papers
        • Focus Areas
        • Cyber Defense
        • Cloud Security
        • Cybersecurity Leadership
        • Digital Forensics
        • Industrial Control Systems
        • Offensive Operations
        Subscribe to SANS Newsletters
        Receive curated news, vulnerabilities, & security awareness tips
        United States
        Canada
        United Kingdom
        Spain
        Belgium
        Denmark
        Norway
        Netherlands
        Australia
        India
        Japan
        Singapore
        Afghanistan
        Aland Islands
        Albania
        Algeria
        American Samoa
        Andorra
        Angola
        Anguilla
        Antarctica
        Antigua and Barbuda
        Argentina
        Armenia
        Aruba
        Austria
        Azerbaijan
        Bahamas
        Bahrain
        Bangladesh
        Barbados
        Belarus
        Belize
        Benin
        Bermuda
        Bhutan
        Bolivia
        Bonaire, Sint Eustatius, and Saba
        Bosnia And Herzegovina
        Botswana
        Bouvet Island
        Brazil
        British Indian Ocean Territory
        Brunei Darussalam
        Bulgaria
        Burkina Faso
        Burundi
        Cambodia
        Cameroon
        Cape Verde
        Cayman Islands
        Central African Republic
        Chad
        Chile
        China
        Christmas Island
        Cocos (Keeling) Islands
        Colombia
        Comoros
        Cook Islands
        Costa Rica
        Croatia (Local Name: Hrvatska)
        Curacao
        Cyprus
        Czech Republic
        Democratic Republic of the Congo
        Djibouti
        Dominica
        Dominican Republic
        East Timor
        East Timor
        Ecuador
        Egypt
        El Salvador
        Equatorial Guinea
        Eritrea
        Estonia
        Ethiopia
        Falkland Islands (Malvinas)
        Faroe Islands
        Fiji
        Finland
        France
        French Guiana
        French Polynesia
        French Southern Territories
        Gabon
        Gambia
        Georgia
        Germany
        Ghana
        Gibraltar
        Greece
        Greenland
        Grenada
        Guadeloupe
        Guam
        Guatemala
        Guernsey
        Guinea
        Guinea-Bissau
        Guyana
        Haiti
        Heard And McDonald Islands
        Honduras
        Hong Kong
        Hungary
        Iceland
        Indonesia
        Iraq
        Ireland
        Isle of Man
        Israel
        Italy
        Jamaica
        Jersey
        Jordan
        Kazakhstan
        Kenya
        Kiribati
        Korea, Republic Of
        Kosovo
        Kuwait
        Kyrgyzstan
        Lao People's Democratic Republic
        Latvia
        Lebanon
        Lesotho
        Liberia
        Liechtenstein
        Lithuania
        Luxembourg
        Macau
        Macedonia
        Madagascar
        Malawi
        Malaysia
        Maldives
        Mali
        Malta
        Marshall Islands
        Martinique
        Mauritania
        Mauritius
        Mayotte
        Mexico
        Micronesia, Federated States Of
        Moldova, Republic Of
        Monaco
        Mongolia
        Montenegro
        Montserrat
        Morocco
        Mozambique
        Myanmar
        Namibia
        Nauru
        Nepal
        Netherlands Antilles
        New Caledonia
        New Zealand
        Nicaragua
        Niger
        Nigeria
        Niue
        Norfolk Island
        Northern Mariana Islands
        Oman
        Pakistan
        Palau
        Palestine
        Panama
        Papua New Guinea
        Paraguay
        Peru
        Philippines
        Pitcairn
        Poland
        Portugal
        Puerto Rico
        Qatar
        Reunion
        Romania
        Russian Federation
        Rwanda
        Saint Bartholemy
        Saint Kitts And Nevis
        Saint Lucia
        Saint Martin
        Saint Vincent And The Grenadines
        Samoa
        San Marino
        Sao Tome And Principe
        Saudi Arabia
        Senegal
        Serbia
        Seychelles
        Sierra Leone
        Sint Maarten
        Slovakia
        Slovenia
        Solomon Islands
        South Africa
        South Georgia and the South Sandwich Islands
        South Sudan
        Sri Lanka
        St. Helena
        St. Pierre And Miquelon
        Suriname
        Svalbard And Jan Mayen Islands
        Swaziland
        Sweden
        Switzerland
        Taiwan
        Tajikistan
        Tanzania
        Thailand
        Togo
        Tokelau
        Tonga
        Trinidad And Tobago
        Tunisia
        Turkey
        Turkmenistan
        Turks And Caicos Islands
        Tuvalu
        Uganda
        Ukraine
        United Arab Emirates
        United States Minor Outlying Islands
        Uruguay
        Uzbekistan
        Vanuatu
        Vatican City
        Venezuela
        Vietnam
        Virgin Islands (British)
        Virgin Islands (U.S.)
        Wallis And Futuna Islands
        Western Sahara
        Yemen
        Yugoslavia
        Zambia
        Zimbabwe

        By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
        • © 2023 SANS™ Institute
        • Privacy Policy
        • Contact
        • Careers
        • Twitter
        • Facebook
        • Youtube
        • LinkedIn