Searching unallocated and slack space for text
Now let’s go back to the original image. The restored disk (or loop mounted disk image) allowed you to check all the files and directories (logical view). What about unallocated and slack space (physical view)? We willnow analyze the image itself, since it was a byte for byte copy and includes data in the unallocated areas of the disk, as well as file slack space.
Let’s assume that we have seized this disk from a former employee of a large corporation. The would-be cracker sent a letter to the corporation threatening to unleash a virus in their network. The suspect denies sending the letter. This is a simple matter of finding the text from a deleted file (unallocated space).
First, change back to the directory in which you created the image, whether it was the root’s home directory, or a special one you created.
cd /root/evidence
Now we will use thegrepcommand to search the image for any instance of an expression or pattern. We will use a number of options to make the output ofgrepmore useful. The syntax ofgrepis normally:
grep –options
**Illegal HTML tag removed :
The first thing we will do is create a list of keywords to search for.
It’s rare we ever want to search evidence for a single keyword, after all.
For our example, lets use “ransom”, “$50,000” (the ransom amount), and “unleash a virus”. These are some keywords and a phrase that we have decided to use from the original letter received by the corporation. Make the list of keywords (usingvi) and save it as/root/evidence/searchlist.txt.
Ensure that each string you want to search for is on a different line.
$50,000 ransom
unleash a virus
Make sure there are NO BLANK LINES IN THE LIST OR AT THE END OF THE LIST!! Now we run thegrepcommand on our image:
grep –aibf searchlist.txt image.disk1 > hits.txt
Looking at thegrepcommand we see that we are askinggrepto use the list we created in “searchlist.txt” for the patterns we are looking for. This is specified with the “-f**listfile” option. We are tellinggrepto searchimage.disk1_for these patterns, and we are redirecting the output to a file called_hits.txt, so we can record the output and view them at our leisure. The–aoption tellsgrepto process the file as if it were text, even if it’s binary. The option -itellsgrepto ignore upper and lower case. And the-boption tellsgrepto give us the byte offset of each hit so we can find the line inxxd**or one of the graphical hex editors, like GHex.
Once you run the command above, you should have a new file in your current directory called_hits.txt._View this file withlessormoreor any text viewer. Keep in mind thatstringsmight be best for the job. Again, if you usemoreorless, you run the risk of corrupting your terminal if there are non-ASCII characters. We will simply usecatto stream the entire contents of the file to the standard output. The file_hits.txt_should give you a list of lines that contain the words in your_searchlist.txt_file. In front of each line is a number that represents the byte offset for that “hit” in the image file.
cat hits.txt
75441:you and your entire bus__iness ransom.
75500:I have had enough of your mindless corporate piracy and will no longer stand for it. (…)
75767:Don't try anything, and dont contact the cops. If you do, I will unleash a virus that will bring down your whole network and destroy yourconsumer's confidence.
In keeping with our command line philosophy, we will usexxdto display the data found at each byte offset. xxdis a command line hexdump tool, useful for examining files. Do this for each offset in the list of hits. This should yield some interesting results.
xxd -s**offset**image.disk1 | less
If you want to cheat a little, and use a GUI, tryGHex. Find it on theKDEorGnomemenus, or simply typeghex &in a terminal window. It is a standard hex editor. Open the image file, and click on Illegal HTML tag removed : and then