Well, I finally made it…the last post of the year. I have to say I didn’t think I would be able to make my deadline every week, much less through the entire year. And with the exception of one week (which screwed me up because of a time change), I managed to pull it off.
So here we have the last script of the year. This again is another simple script I created. Most of the time (like I’m sure a lot of forensic examiners do), I like to take the memory images I create and run strings against them to pull out all the text in the raw file (I use the Sleuth Kit srch_string command specifically). From there I’ll end up running it through grep for possible keywords of interest.
However there are times when I’m on a windows box where I can’t do that as easily. Yes I could install Unix tools on Windows, but then I wouldn’t be able to write something in Python would I?
What I do with this script is feed in the memory image string file as the input, and then it prompts me for the search term. Then it goes through the text file and returns the search hit and the line number from the file. I wanted it to include the line number, so if there’s something interesting I want to look at further, I can open the file in a text program and look at what may be around it. Of course sometimes the text file is too big for a standard text editor, but at least I have a starting point.
Now where do I go from here? Well I’m planning on continuing to write code. I’m going to be taking some of the scripts I’ve used over the last year and expand them out. One of them being a case management system, something I’ve wanted to write for a while. Now that I’m not on a weekly schedule I can’t take more time to write code. I’m also planning on putting together a presentation on my experiences over the last year, which I’ll probably submit to one or two conferences.
I’ll end this last one not by saying until next week, but Keep Coding!