Sys Forensics Tools

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Any digital forensics practitioner will have a wide variety of tools in their kit. At one end of the spectrum you have single-purpose open source tools like the packet sniffer Wireshark or HashKeeper, a free-to-use program that can speed the examination of database files. At the other end, you have powerful commercial software platforms with multiple functions and slick reporting capabilities like Encase, or CAINE, an entire Linux distribution dedicated to forensics work.

Today I will present you some powerful free tools you can play with

  • Hex File Headers
  • grep/egrep
  • sort
  • awk
  • sed
  • uniq
  • date
  • Windows findstr

Hex File Header and ASCII Equivalent

File headers are used to identify a file by examining the first 4 or 5 bytes of its hexadecimal content.

grep/egrep

grep's strength is extracting information from text files. grep operates on one or multiple files when provided with a command line argument(s) that can also include wildcards:

Example: grep "John" addressbook  Would return the lines that contained the "John" string in the addressbook text file

Some useful flags:

-A Print number of lines after the match -B Print number of lines before match -c Report number of occurrences -f Reads one or more patterns from a file. Pattern are terminated by a newline -h Suppress the file names on the output -i Ignore case -l Report matching files, not matching lines -P Interpret pattern as a Perl Regex -v  Reverse operation: return the lines not matching the string

The egrep (extended grep) utility can be useful to match several possible strings at the same time (in an OR mode):

egrep "John|Peter" addressbook  grep "John|Peter" addressbook

sort

sort, as its name implies, will sort the output. There are a few interesting options you can use:

-d Uses dictionary order. Only letters, digits and blanks. -n  will sort the output assuming it is numerical (instead of string) -u will remove redundant line, 'uniquing' the results

awk

awk is an extremely useful tool, especially for parsing data structured in columns. It is straightforward to use for simple purposes. Its basic use is to select some particular columns from the output: column 1 is referred to as $1, column 2 as $2, etc.

The space is the default awk separator. However if you want to be able to parse data separated by some other character, e.g. ":", you can use the -F flag.

Example:  echo "hello:goodbye" | awk -F: '{print $2}'

Would return "goodbye" as an output

sed

sed is an excellent command for character substitution. Example: if you want to substitute the first occurrence of the 'a' character by an 'e':

echo "hallo" | sed 's/a/e/'

The output would be: hello You can use the g modifier to substitute all instances:

echo "Hallo Janny" | sed 's/a/e/g'

The output would be: Hello Jenny

uniq

The uniq command reads the input and compares adjacent lines. If two or more adjacent lines are identical, all but one is removed.

Here is a list of the most common options used with uniq:

-c     Prefix line with number of occurrence -f     Avoid comparing the first N fields -i     Ignore case -s     Avoid comparing the first N characters -u     Only print unique lines

Consider this input file:

a      

b      

c          

b

Now run uniq on it: sort testfile | uniq      a      b      c Now run uniq -c on it:                 1   a    

2   b    

1   c

date

Check the date man page for more options.

Returns the real date from epoch time: date –d @1284127201

Return an epoch time of 1288756800: date +%s -d “2010-11-03”

Return a 2 days old date:  date --date="-2 days"  +"%Y-%m-%d"

Return 20:00 hours: date -d @1288310401 +%k:%M

Windows findstr

The Windows findstr has one interesting feature that differs from grep. If you need to search for multiple strings, you need to separate them with a space.

For example, you want or need to look for a match for WHITE or GREEN in a text file, you write your command like this:

findstr "WHITE GREEN" textfile

To make the search case insensitive, add the /I to print all variant of WHITE or GREEN.

Windows findstr Command List

/B Matches pattern if at the beginning of  a line.

/E Matches pattern if at the end of a line.

/L Uses search strings literally.

/R Uses search strings as regular expressions.

/S Searches for matching files in the current directory and all subdirectories.

/I Specifies that the search is not to be case-sensitive.

/X Prints lines that match exactly.

/V Prints only lines that do not contain a match.

/N Prints the line number before each line that matches.

/M Prints only the filename if a file contains a match.

/O Prints character offset before each matching line.

/P Skip files with non-printable characters.

Filetype Start Start ASCII Translation
ani52 49 46 46RIFF
au2E 73 6E 64snd
bmp42 4D F8 A9BM
bmp42 4D 62 25BMp%
bmp42 4D 76 03BMv
cab4D 53 43 46MSCF
dll4D 5A 90 00MZ
ExcelD0 CF 11 E0
exe4D 5A 50 00MZP(inno)
exe4D 5A 90 00MZ
flv46 4C 56 01FLV
gif47 49 46 38 39 61GIF89a
gif47 49 46 38 37 61GIF87a
gz1F 8B 08 08
ico00 00 01 00
jpegFF D8 FF E1
jpegFF D8 FF E0JFIF
jpegFF D8 FF FEJFIF
Linuxbin 7F 45 4C 46ELF
png89 50 4E 47PNG
msiD0 CF 11 E0
mp349 44 33 2EID3
mp349 44 33 03ID3
OFT4F 46 54 32OFT2
PPTD0 CF 11 E0
PDF25 50 44 46%PDF
rar52 61 72 21Rar!
sfw43 57 53 06/08cws
tar1F 8B 08 0000
tgz1F 9D 90 70
WordD0 CF 11 E0
wmv30 26 B2 75
zip50 4B 03 04PK