top of page

String Searching with bstrings: Carving Files and Finding Hidden Data

6 hours ago3 min read

Hi, everyone! Welcome to another article.


If you’ve been following along, you know I’ve covered some amazing tools, including bstrings.exe, a powerful utility by Eric Zimmerman. I previously shared how to use this tool for string searches and you can check out that guide

Today, we’re revisiting bstrings, but with a new focus: file carving and detailed searches. Let’s dive in!

-------------------------------------------------------------------------------------------------------------

Why String Searching Matters in Forensics

String searching is one of the most versatile forensic techniques. It’s commonly used in tasks like:


  • Memory analysis

  • Reverse-engineering malware

  • Finding data in unallocated space or disk images


Why is it so effective?

Many crucial pieces of evidence—like IP addresses, URLs, usernames, passwords, and file paths—are represented as strings. By searching for strings, you can uncover data in memory dumps, page files, or even entire disk images.

-------------------------------------------------------------------------------------------------------------

bstrings: A Power Tool for String Searching

bstrings, created by Eric Zimmerman, is an advanced tool for string searching. Originally a Windows-exclusive tool, it’s now powered by .NET6, making it faster and compatible with Linux.


It stands out for its ability to:

  • Extract both ASCII and Unicode strings simultaneously.

  • Perform advanced searches using regular expressions (regex).

  • Use built-in regex patterns to search for common items like IP addresses, file paths, and URLs.


Here are some examples of bstrings in action:

  1. Extract all strings with a minimum length of 8 characters:

bstrings.exe -f "E:\Output for testing\20250116.mem" -m 8

  1. Search for specific terms in a file:

bstrings -f "E:\Output for testing\20250116.mem"--ls <search_term>

  1. Use regex to find IPv4 addresses:

bstrings.exe -f "E:\Output for testing\20250116.mem" --lr ipv4

To see all available regex patterns, run:

bstrings -p

-------------------------------------------------------------------------------------------------------------


Two Approaches to String Searching

In forensic investigations, string searching typically follows one of two methods:


1. Bit-by-Bit Searching

This approach scans data directly for specific terms or patterns. Tools like bstrings and hex editors are often used. While thorough, this method has limitations, that if the term of

interest is inside a compressed file, such as Windows 10/11 pagefiles, Outlook OSTs and PSTs, and even Office documents (which are essentially zip-compressed XML files), then basic searching tools will be unable to find the term. Specialized forensic tools can decompress some file types, but coverage is incomplete, especially for newer systems like Windows 10/11.


2. Indexed Searching

This method creates a searchable index of all strings in a dataset. Tools like Autopsy use indexing engines (e.g., Apache Solr) to process disk images, making subsequent searches fast.


While indexing is efficient for large datasets, it has downsides:


  • Indexes can take a long time to build and require significant storage space.

  • Some strings or characters (e.g., "@") might be excluded for efficiency, complicating certain searches.


For example, searching for an email address might require a workaround like proximity searches to account for missing characters.


-------------------------------------------------------------------------------------------------------------


Comparing bstrings and Indexed Searches

To illustrate the differences, let’s look at a scenario where we’re searching for a Bitlocker recovery key:


  • Using bstrings:


    • A direct regex search across a memory image quickly identified a string in the recovery key format.

    • While fast and efficient, it requires manual validation of results to rule out false positives.

bstrings.exe -f "E:\Output for testing\20250116.mem" --lr bitlocker

  • Using Autopsy:

    • By indexing the disk image, multiple searches were performed almost instantly.

    • While indexing took significant time, it allowed for comprehensive searches, including compressed files.


Both methods have their place, depending on the type of investigation and the tools available.


-------------------------------------------------------------------------------------------------------------


Why bstrings Is a Must-Have Tool

Here’s what makes bstrings so valuable:

  1. Speed and Efficiency: It processes data quickly, even for large datasets.

  2. Advanced Regex Support: Built-in patterns save time and ensure accurate results.

  3. Cross-Platform: Now compatible with Linux, it’s more versatile than ever.

  4. Customization: You can add your own regex patterns for unique searches.


-------------------------------------------------------------------------------------------------------------


Final Thoughts

String searching might not seem flashy, but it’s one of the most reliable forensic techniques. Whether you’re using bstrings for bit-by-bit searches or tools like Autopsy for indexed searching, the key is to match the method to your investigation’s needs.


I highly recommend checking out the article on Memory Forensics using Strings or Bstrings. The reason is simple: it provides commands along with screenshots, making it easy to understand and follow.


If you haven’t already, give bstrings a try. It’s free, fast, and incredibly powerful—perfect for anyone looking to level up their forensic skills. As always, keep exploring and stay curious. See you in the next article!

--------------------------------------------------Dean---------------------------------------------------


12 views0 comments

Recent Posts

See All

Comments

bottom of page