[Vol-dev] Patch: strings command optimization

[Brendan Dolan-Gavitt]

As long as we're chatting about strings, it's worth noting that the  
"strings" command on UNIX-like operating systems will not find UTF-16  
encoded strings by default (like those commonly found in Windows).

If you've got a copy of GNU strings, you can use:

strings -t d -e l <file>

(the "-e l" tells it to look for strings in UTF-16 little-endian  
encoding. Other encodings are possible too, check the manpage).

If you are unlucky enough to be without a copy of GNU strings (OS X  
doesn't ship with it by default; it instead ships a non-unicode-aware  
version), you can install it as part of binutils.

-Brendan

On Sep 7, 2009, at 5:46 PM, Tim wrote:

> Jesse,
>
>> I'm still testing your patches,
>
> Cool, thanks for taking a look at it.
>
>> but have found the following Perl
>> script necessary to convert my Mac's strings output into the format
>> needed by Volatility. I thought others might be able to make use of
>> it:
>> [...]
>
> Yeah, I've also been thinking that the strings command should be
> changed to accept more standard strings output (i.e. a space as
> delimiter).  The change would be easy and I don't think it will break
> anything, so long as it also accepts ':' as a delimiter.  For now
> I've just been using something like:
>
>  sed 's/ /:/'
>
> to do the conversion myself.  (Note that sed will only perform one
> replacement per line by default.)
>
> Once it is decided which way this command should be updated (i.e.
> changed to a core plugin or something similar), I can come back and
> make some more functional changes like this if there's no objections.
>
> cheers,
> tim
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>