On 17 Sep 2001 in Forensics Digest 17 Issue 51, jamie rishaw <jamieat_private> wrote: > running it through UNIX 'strings' is always one of the first things I > do to any document or file that I don't know of -- it's invaluable in > a lot of things.. Running it though 'tr -d \0' first will make things a lot more useful: Word stores a whole lot of stuff in Unicode strings. For standard ASCII, this means that there are a lot of alternating binary zeroes with single ASCII characters in the non-text part of the document. In the text part too, for that matter, though this is less common. Since 'strings' by default discards strings shorter than 4 bytes, and since there's a-plenty useful information that is in this alternating- zeroes form, and since if you use 'strings' with, say, a 1-byte minimum length the results are really ugly, stripping out the binary zeroes before feeding the file to 'strings' can be a Really Good Thing. You get more junk if you use 'tr', but I find the tradeoff well worth it. Try it both ways and decide for yourselves. -BPB University of Michigan AntiVirus Team Leader University of Michigan Data Recovery Team Leader PGP 2.6.2 key fingerprint: 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 11:07:27 PDT