Using strings.exe on a .dd ram image


Oct 3, 2008
21
0
#1
Hello,

I am trying to retrieve processes, threads or any information which might be relevent to a forensic investigation by using strings.exe on a .dd physical memory image. The only problem I am having is there is little to no tutorials on how to do this so does anyone here have any links to any?

When a run the command
Code:
strings -u image.dd
stuff keeps flying down the screen which is mostly jibberish.

Thanks!
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#2
Dr-Zoidberg said:
I am trying to retrieve processes, threads or any information which might be relevent to a forensic investigation by using strings.exe on a .dd physical memory image. The only problem I am having is there is little to no tutorials on how to do this so does anyone here have any links to any?
Don't know strings.exe -- I am assuming some Windows relative to the Unix strings command. I also assume a Windows memory dump as indate.

I would not use strings(1) to get at any information that does not happen to be stored in textual (string) form. Process records do not seem likely to contain any such information. If you know where those records are likely to be found (i.e. you know where the process table is stored), it seems more useful to dump that directly. (No, I have no idea myself.)

I'd extract that information with tools for that purpose -- by using IRCR or WFT or something like that -- once I've taken the memory dump.
When a run the command
Code:
strings -u image.dd
stuff keeps flying down the screen which is mostly jibberish.
That always happens -- you have to know what you are looking for, much as in any forensic investigation. So either you eyeball it (which is is boring and error prone), or you tweak the parameters to string to give you less gibberish, or you apply grep or some other filter to get rid on the uninteresting stuff, or 'join' to compare it with some other list of interesting word, or feed it straight into a password tester, or ... and so on and so on.

'-u' is not an option I recognize. You might try '-n' with some suitable minimal string length, or perhaps '-e' to catch up on information stored in some Unicode encoding system. (I'm more familiar with Unix strings.)

strings is really intended to be used as part of a Unix tool environment -- if you are trying to use it on its own, it's of rather limited value.
 

Complete

Administrator
Aug 19, 2006
861
0
#3
Check out Volatility and Memoryze as two tools that are specifically built for analyzing images of memory.
The Volatility Framework currently provides the following extraction capabilities for memory samples

* Image date and time
* Running processes
* Open network sockets
* Open network connections
* DLLs loaded for each process
* Open files for each process
* Open registry handles for each process
* A process' addressable memory
* OS kernel modules
* Mapping physical offsets to virtual addresses (strings to process)
* Virtual Address Descriptor information
* Scanning examples: processes, threads, sockets, connections,modules
* Extract executables from memory samples
* Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
* Automated conversion between formats
 
Jan 11, 2006
789
0
#4
I prefer to use Volatility when working with RAM dumps. However, you could also look into HBGary and Memoryze to parse the dumps for information of interest.

Within the volatility framework to pull process information look at the pslist, dlllist, files, procdump, and regobjkeys options.

Cheers!

farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
 
Oct 3, 2008
21
0
#5
Has anyone got any links to any online documentation about stuff on security ID, start time, kernal time etc

I've googled and looked for ebooks but cant really find anything. 8O
 
May 17, 2011
6
0
#6
I use the "strings" utility in Ubuntu. If you open the man page or run --help on strings it will give you some good options.

Here is how I use it:

$ strings -a -n 5 -t o -e s ~/images/<directory>/dump.dmp > dump.dmp.strings

Then I run the strings plugin from volatility on it. This will match the offset address to the address given from the strings output. This may or may not work depending on your version of volatility.

<volatility directory>$ ./vol.py strings -s ~/images/<directory>/dump.dmp.strings -f ~/images/<directory>/dump.dmp > output.strings

$ grep -i <Keyword> output.strings > <Keyword>.txt

This will give you a great list of keywords found in the strings. I use it to find references to my keywords.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu