Re: [Vol-users] stings input file format question

Glad I could help! Yep, I've seen this before many times ;-) All the best, -gleeda ________________________________ From: Mike Lambert <dragonforen(a)hotmail.com> Date: Mon, 27 Feb 2012 17:02:15 -0600 To: <jamie.levy(a)gmail.com> Subject: RE: [Vol-users] stings input file format question My thanks! Well you called that one! I was using Encase's "Export" to output a text file of the offsets of the hits from the search result tab. Encase outputs unicode text. I just need to put a new step in the process, convert it to ANSI before running it with the strings command. And it does have a funky befinning of file marker.... You must have seen this before? Best, Mike > Date: Mon, 27 Feb 2012 16:39:08 -0500 > Subject: Re: [Vol-users] stings input file format question > From: jamie.levy(a)gmail.com > To: dragonforen(a)hotmail.com > > hrmmmmm I don't see anything obviously wrong here... But since you > said these offsets are from EnCase, how were they obtained? By > EnScript to a file, copy+paste from the console or some other method? > I'm just curious if the offsets were exported in ASCII or EnCase's > default UTF-16. Also sometimes when exporting in unicode, there's a > funky corrupt BOM that EnCase uses that might be messing things up... > I'm just trying to think of things that might have gone wrong here. > > Maybe you could try copy and pasting a few of these "Ypycub" entries > into a new text file and running the strings plugin again to see. > > All the best, > > -gleeda > > > On Mon, Feb 27, 2012 at 4:06 PM, Mike Lambert <dragonforen(a)hotmail.com> > wrote: > > I am mystified why I see the following: in one case I get output from > > strings and the other I get an input file format error. I have tried > > this > > with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time > > to > > return the error, 2.0 returs the error quickly. > > > > I thought the reason may be length, so I broke up the Ypycub offsets > > into > > increasingly smaller input files; no success was achived with the > > smaller > > input files. > > I don't see a format difference in these 2 files. > > > > The offsets come from an Encase search of 120225b.mem. It is a 458MB > > WinXPSP3x86 image converted from hiberfil.sys. > > > > > > Vol 1.3 example: The same result is seen with Vol 2.0 > > > > The input file is: > > > > 357229672:Glows > > 280642408:Glows > > 257105340:Glows > > 113457472:Glows > > 357230696:Glows > > > > > > C:\Python27\Volatility-1.3_Beta>python volatility strings -f > > e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt > > > > 357229672  [kernel:df864468 ] Glows > > 280642408  [1456:45b8368 ] Glows > > 257105340  [kernel:e1ec1dbc ] Glows > > 113457472  [1456:2ac0940 ] Glows > > 357230696  [kernel:df864868 ] Glows > > > > ----------------------cut-here------------------------- > > The input file is: > > > > 7744388:Ypycub > > 10830274:Ypycub > > 70385414:Ypycub > > 70918297:Ypycub > > 70918649:Ypycub > > 73375514:Ypycub > > 91390974:Ypycub > > 104879126:Ypycub > > 104879154:Ypycub > > 132968006:Ypycub > > 215776800:Ypycub > > 232868024:Ypycub > > 232869190:Ypycub > > 237434963:Ypycub > > 237434991:Ypycub > > 256642118:Ypycub > > 285030170:Ypycub > > 310449659:Ypycub > > 310449687:Ypycub > > 314178656:Ypycub > > 325974496:Ypycub > > 327972307:Ypycub > > 327972335:Ypycub > > 338814062:Ypycub > > 338814854:Ypycub > > 339229856:Ypycub > > 339763304:Ypycub > > 339763544:Ypycub > > 339893168:Ypycub > > 340101984:Ypycub > > 343215259:Ypycub > > 343215287:Ypycub > > 357229759:Ypycub > > 361836122:Ypycub > > 367889650:Ypycub > > 455348611:Ypycub > > 455348639:Ypycub > > > > > > C:\Python27\Volatility-1.3_Beta>python volatility strings -f > > e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt > > > > Usage: strings [options] (see --help) > > volatility: error: String file format invalid. > > > > > > Thanks for any assistance. > > > > Mike > > > > > > > > > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org > > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > > > -- > PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92