02-14-2014, 10:33 AM
(02-13-2014, 07:58 PM)atom Wrote: I never thought about creating a wordlist this way. In theory you should be able to do "strings /dev/sda", that should work and if there's hidden data you should get it with this as well...Running strings against /dev/sda will run across the disk image sectors sequentially from start to finish which will give a good word list and include words from the deleted areas of the disk (unallocated space), but for fragmented files a very small number of words within those files will not be continuous across the sector boundaries and be missed.
I guess you could mount the partition and extract strings from the live files this way, which will resolve the fragmentation issue:
find . -xdev -type f -print0 | xargs -0 strings | sort -u
Its also worth remembering that by default strings will only pull out ASCII strings, so some tweaking will be needed to get unicode/base64 and other encoded strings.
Even then, this still leaves the issue of strings inside compound files such as zips (inc docx files), email archives (pst,dbx etc) and other proprietary data formats which will be missed.
I'm going to have a look at some of the opensource forensic tools to see how they approach this problem from a keyword searching perspective .
Cheers
d