Vi
|
| < Day Day Up > |
|
Sometimes the file being analyzed is not binary; instead, it is a text file. Text files can be viewed using the cat command on Unix operating systems, but again searches may not be as effective if the keyword is wrapped across multiple lines. Other commands such as more and less can be used to view text files a page at a time and offer limited searching capabilities. Vi is installed with most Unix operating systems as the most basic editor. Do not be fooled by the word basic: it can take years to master the power of vi. This section will concentrate on the viewing capabilities of vi and will assume the reader has some familiarity with the tool, as a full explanation is beyond the scope of this chapter.
Implementation
Vi is simple to invoke, and we will use the flag -R to make sure the file is not altered while we view it. (The -R command-line option executes vi in a read-only mode.) Here’s the command:
forensic# vi -R suspiciousfile.txt
And here’s how the output looks:
The file seems to be a word list. A nice feature of vi is its ability to search for complicated regular expressions. The search command within vi is activated by typing a slash (/) in the window and entering the regular expression afterward.
To search for the word hacker, for example, the following command is typed into the vi window:
/hacker
Here’s the output:
Now let’s say, for example, that we are not interested in locating the word hacker as a substring of another word. To continue to the next match and manually pick out the lines beginning with hacker, we could type n to move to the next match for the last regular expression we searched for. In this list, we would have to type n many times to access every word beginning with hacker. Therefore, a more efficient method of searching would need to be employed.
| Tip | These same string searching keystrokes (/ and n) are supported by the basic file viewing tools more and less. |
If we were interested in searching for the lines that begin with hacker, using regular expressions can make the operation much easier. The regular expression for finding the word hacker at the beginning of the line is represented by prepending a beginning-of-line character, the caret (^) symbol, to the search keyword. The following command finds the next line that contains the word hacker at the beginning of the line:
/^hacker
And here’s the output:
Although this is a simple regular expression, much more complex keywords can be constructed. The review of regular expressions is beyond the scope of this book, but a good (and free) resource is the “perlre” man page, which can be found online at http://www.perl.com or on a machine with the Perl programming language properly installed.
| Tip | To quit vi without writing to the file, type :q!. |
A last important aspect to note about vi is its ability to read binary files. Although its output is not as pretty as hexdump or hexedit, vi’s output is still effective if it is the only tool available. Here’s the command:
vi -R suspiciousfile.bin
And here’s the output:
In the output, the same file analyzed in the hexedit section is being viewed. All content, in nonprintable text, is output in hexadecimal notation using the \x## format. Any printable ASCII is viewable on the display. Using vi to view a file that is partially text and partially binary (like those pesky DOS-formatted files) is very useful! Here’s how the command looks:
vi -R dosfile.txt
And here’s the output:
| Note | The vi installed on most Linux systems by default is actually vim (vi improved). Vim does not display output in the same manner as traditional vi. Binary mode with vim can be activated if you use the -b switch. |
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 189