Session 08 - Searching for Text
Requirements:
- A Linux machine
- Sleuthkit installed on the Linux machine
practical.floppy.dd(Grundy's Tutorial)
Find the Threatening Document
There is a threatening document lingering in the image file. You have been informed through other sources that there seems to be a typo and you should go and see if you can find that typo and possibly some surrounding text/information. For this you can use the strings command on the image file. See the manual page for this command for more information. It is very powerful and a good tool to master.
$ strings -td ~/practical.floppy.dd | grep concearn
Note: I'm assuming here that you've left the
~/analysis/directory from earlier in place, if not, create it. If it has been created, make sure it's clear of clutter. I'm also assuming that you have thepractical.floppy.ddfile in your home directory. As usual, if this is not the case, adapt the paths in the commands accordingly or move thepractical.floppy.ddto your home directory.
You will have been given some information (thanks to the -td options flag used earlier). Now that strings has given you some output with a decimal offset, you will have to do some maths on this offset.
$ echo "75343/512" | bc
Use ifind with the earlier calculated data unit to find the correct inode number.
$ ifind ~/practical.floppy.dd -d 147
Copy out the data corresponding to the earlier found inode number using icat.
$ icat -r ~/practical.floppy.dd 2038 > ~/analysis/threat.txt
Have a look if you have found something useful or interesting.
$ less ~/analysis/threat.txt
And you're done!*