whole-disk text-string scanning utility
Hi guys,
Can anyone recommend a Linux utility to scan an entire physical disk (of only 12Gb)for selected text strings which searches (obviously) not just files and folders but cluster tips and unused space? Something which shows up all instances of hits found, where they are, and preferably has a "search and replace xyz with abc" facility. Many thanks! CC. |
I think you probably want http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step. This primarily for recovering from corrupt or deleted files.
Not sure its do replace, there's usually no point. You recover first, then fix-up if possible. For extant files try a loop with find & sed. |
If you want to hit unused space et al, you'll probably need a full-on forensic tool.
Been discussed plenty of times - there are even forensic liveCDs. |
Quote:
|
You can always search this way:
dd if=/dev/sda bs=512 skip=<START> count=<RANGE> | hexdump -C | grep <keyword> Replace <START> with the number of the 1st sector to search <RANGE> with the number of sectors to search <keyword> with the string to look for |
Quote:
Code:
000076b0 2e 66 72 69 68 6f 73 74 2e 63 6f 6d 2f 22 20 63 |.frihost.com/" c| Probably the best solution is to write a C program and use the image of the whole disk, but I'm not sure why anyone would do this. You could also use: Code:
find / | grep whatever |
touche!!
In this particular brute-force method, you would need to try several different key words until you established where the file was. Some different hexdump options might help also.... |
I wonder if a hex editor would do the job satisfactorily? Presumably this kind of program can 'see' *everything* on a disk?
|
http://www.forensicswiki.org/wiki/The_Sleuth_Kit
The Sleuth Kit can search for keywords.. If that doesn't work for you check out some of the other Forensics tools available.. http://www.forensicswiki.org/wiki/Main_Page |
Hey, neat, I didn't know about this kit, now if only they supported more filesystems.
|
Quote:
|
No worries.. The check is in the mail :)
|
The 'strings' command extracts text from binary data.
The following code scans /dev/sda for strings containing '.jpg' It has to be run as root. Use 'CTRL c' to stop the command. Code:
dd if=/dev/sda | strings -n 4 -t d | grep '\.jpg' -t d means precede each extracted string with the decimal offset of its first character. (This isn't the offset of '.jpg' unless it's at the start of the string.) I'm using the version of 'strings' supplied with Mandriva. The version supplied with Puppy 4.1.1 does not support '-t d' for decimal offset. It only has '-o' which gives the offset in octal. n.b. The dd command is dangerous; typing 'of=$device' instead of 'if=$device' can destroy the $device file system. |
Quote:
Thanks for the 'strings' command suggestion. I've never heard of it but will certainly check it out. CC. |
Quote:
|
All times are GMT -5. The time now is 02:19 PM. |