Using strings to find file names

This is just another mental note, detailing a manual process to find a filename when you have a string. It's yet another great process, albeit manual. We've just gotten to Autopsy in the class, and the automatic process of performing the tasks that we've learned about doing manually. I kind of like these manual processes because you really see what's going on at each step. I'm sure I'll change my tune once I have to perform the tasks on a huge hard drive with many many files. Anyway.

For this example, I'm using "MYGROUP" as the string that we're searching for. "sample.img" is the dd image that was created of the filesystem.

1. First, create a strings file from the .img file. srch_strings _a -t d sample.img > sample.asc
   
2. Now, we can grep for a particular string. grep MYGROUP sample.asc This will return the offset of the string. There could be more than one return, so you may have to run the process a couple of times; steps 3-7 would be repeated.
   
3. Now we need to find the original_block_number. To do this, we divide the offset from step two by the default blocksize of the filesystem. To find the default blocksize, I run the following command: fsstat sample.img | grep "Block Size:"
4. Now, I usually check that the block number in step has data. I run a blkcat sample.img original_block_number (from step 3)
   
5. To find the inode_num that the block number from step three points to: ifind sample.img -d original_block_number. The result will be the inode_num
   
6. To ensure that the inode number points to blocks: istat sample.img inode_num.
7. Finally, we can use the inode number to pull the file name that we're looking for. Run: ffind sample.img inode_num
   

These steps will find the file name that contains a particular string that we pulled out of the string file.

edit 10-5-09: I went back through these directions and they were written pretty badly. So, I've updated them for clarity.