Re: [Fed-Talk] string search of raw disk
Re: [Fed-Talk] string search of raw disk
- Subject: Re: [Fed-Talk] string search of raw disk
- From: Joshua Krage <email@hidden>
- Date: Fri, 7 Oct 2005 15:31:36 -0400
- Mail-followup-to: email@hidden
On Fri, Oct 07, 2005 at 11:28:33AM -0700, Peter Link wrote:
> Has anyone found a way to perform a string search of a raw
> disk device? I can use Spotlight to see file content on almost all
Grep won't work since it will only provide a yes/no match response on a
binary file. As a test:
# grep 'Apple' /dev/rdisk0s3
Binary file /dev/rdisk0s3 matches
I chose 'Apple' since I know it appears as plaintext in the disk partition
table.
No free tools (like SleuthKit) work on HFS/HFS+. Commercial forensic tools
such as Guidance Software's Encase and Access Data's Fornsic Toolkit (FTK)
can handle it.
A tool like hexedit:
<http://hexedit.darwinports.com/>
should work. This looks like the OSX port of the UNIX/Linux tool of the
same name, so I've used it.
Or a Perl script to read in 512-byte blocks and use a regex to match. Have
it output the block number/offset for viewing in Drive Genius.
Keep in mind that the string you wish to search for may not appear as a
literal string on-disk. Unicode or the file storage format may not be
human-readable without some translation.
If the files were deliberately deleted, such as through the Trash's secure
delete, you may not find them.
If the files have since been overwritten on-disk due to normal filesystem
use, you may not find them.
FileVault adds in additional complications.
--
------------------------------------------------------------------------
F. Joshua Krage, CISSP NASA Goddard Space Flight Center
email@hidden Code 721, IT and Communications Directorate
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden