Re: ProScript searches

Chris — Wed, 27 Sep 2006 15:40:46 GMT

Harlan,

Since this script uses ProScript’s data carving API’s I don’t see a direct way to search allocated and unallocated sectors. The data carving API’s didn’t include allocated by design since files in allocated can be found more easily with a standard file system search.

The short answer is that I’m not sure if there will be an easy way to integrate a regex search outside of the data carving API’s, but I’ll look into it.

Based on your question I do think it is a good idea to add the ability to also add access to allocated sectors in the data carving API’s. I’ll put it on our post-5.0 API Enhancements. We will also be adding the ability to carve out only X bytes to the set.

Re: ProScript searches

keydet89 — Wed, 27 Sep 2006 01:25:23 GMT

Chris,

This is great, thanks. I'm sure that I can cobble something together to meet my/our needs.

My only question now is, if this is for unallocated space, how would I get the script to search over *all* sectors?

Thanks,

Harlan

Re: ProScript searches

Chris — Mon, 25 Sep 2006 23:44:51 GMT

Harlan,

Since this is a fairly common need I'm sure there are a few out there, but I haven't seen them directly. Here's a script used to carve IP Addresses from unallocated space that you should be able to hack up to do what you want:

----begin script------

#############################################################################
# Script Name: CarvIPAddresses.pl
# Discription: Script to search for, select and extract all jpg files
#
#
# Initially, this script will proceed with a content search. Once it is done,
# The Script will fetch all free clusters from the partition and start searching.
# The function, ReadConsSectors reads consecutive clusters from the file system
# those are free. If the header is found, then we will try to read the footer from
# that, assuming that, the file was consecutive.
# The script can be executed on any physical/logical drive/image or memory images.
#
# ProScript Version: 1.1
# Perl Version: 5.8.6
#
# Author: Development Team
# Histroy: 8/4/5 Original Script using ProScript 1.1 data carving api's
# Known issues: Will not work on compressed images, will not work on multi image projects
#############################################################################

use ProScript;
# Users should ensure they set search term file location and target directory for exporting files
$TargetDir = "C:\\ProDiscover\\ProScript\\Output";

# Users should uncomment the header, footer, and extension for the desired artifact search.
# Note only one header, footer, and extension group shoud be uncommented.
sub FindIPAddress()
{
my ($Name) = @_;

$Header = "([\\d]+)\\.([\\d]+)\\.([\\d]+)\\.([\\d]+)";
$Footer = "";
$Extn = "txt";

my $Handle = PSSearchAndRecoverFile($Name, $Header, $Footer, $TargetDir, $Extn);
if ($Handle == 0)
{
  PSDisplayText("Error starting data carving.");
  return;
}

PSSetDCBlockSize($Handle, 20);
PSDisplayText("Starting data carving on $Name");

$ObjName = $Name;

my $NumEntries = 0;
PSDisplayText("Searching in $ObjName");
PSOpenObject($ObjName);
PSSetProgressRange(0, 100);
PSStartProcess();
while (1)
{
  #PSDisplayText("In the first While");
  last if (PSGetProcessing() == FALSE);
  my $SearchData = "";
  $SearchData = &ProScript::PSReadConsClusters($Handle);
  my $IsEndOfDisk = PSDCIsEndOfDisk($Handle);
  last if ($IsEndOfDisk == 1);
  while (1)
  {
   #PSDisplayText("In the second While");
   last if (PSGetProcessing() == FALSE);
   if ($SearchData =~ m/(.*?)($Header)(.*)/s)
   {
    #Search string found. Construct the IP address
    my $IPAddr = "$3.$4.$5.$6";
    #Validate the IP address
    $ValidIP = 1;
    foreach $s (($1, $2, $3, $4))
    {
         if ($s < 0 || $s > 255)
         {
      $ValidIP = 0;
       last;
         }
    }

    if ($ValidIP)
    {
     $NumEntries++;
     my $FName = PSGetNextFileName($Handle);
     open(OUT,">>$FName");
     binmode(OUT);
     $IPAddr = $IPAddr . "\r\n";
     print(OUT $IPAddr);
     close(OUT);
    }
    $SearchData = $7;
    next;
   }
   else
   {
    last;
   }
  }
  my $Progress = PSDCGetPercentage($Handle);
  PSSetProgress($Progress);

}

PSSetStatusText("");
PSCloseObject($ObjName);
PSSetProgress(0);
PSEndProcess();
PSDisplayText("$NumEntries IP Address(es) found during the operation.");
PSCloseHandle($Handle);

}

# Get all objects added to the current project
$totalObjects = PSGetObjectsCount();

# for each object added to the project search it
for($i=0; $i < $totalObjects; $i++)
{
    $objectName = PSGetObjectName($i);
    &FindIPAddress($objectName);

}

PSDisplayText("Done!");
-------------end script------------------

ProScript searches

keydet89 — Mon, 25 Sep 2006 20:28:16 GMT

Are there any available examples for searching for credit card data and/or SSNs via a ProScript?

thanks,

Harlan

ProScript and Perl

Re: ProScript searches

Re: ProScript searches

Re: ProScript searches

ProScript searches