Textsearch, a python script for looking through way too much crap

Not too long ago, a friend of mine had one of their hard drives “accidentally erased” and they had no backup.

I kindly applied some Scalpel knowledge to it, and got back almost everything they had lost. Pictures, songs, .pdf documents, the works.

Two things gave some trouble. The first problem was text documents. This person had stored their recipes as text documents, and setting scalpel to pull them out of a 500GB hard drive found roughly 10k text documents.

The other issue was the .pdfs. Most of them were stuff she could care less about, but the others were tax documents that she really needed. She had over 500 .pdf documents found through scalpel.

Although there may well be something better already written, I solved the problem with Python.

This script will open and look through documents of whatever kind you like for the strings you set. I have it so it can look for ANY of your search terms, or it can look for only documents with ALL of them. (This is because when I first ran it to look for recipes, I figured the one common word for all recipes she might have would be “cups” not realizing she had been running Linux. OH HAI, Common Unix Printing System files, logfiles, mentions, and the like. There are rather a lot of you.) So, you can run this on Scalpeled files to find what you need. You could upload it to popped boxes you are pentesting and search for unencrypted file content of some kind. You can do whatever you like with it.

In case it might be useful for forensics or pentesting, I played it safe and had it open all files as read only. Rather than moving them, it simply makes a copy of the file to wherever you tell it.

Here’s hoping you can put it to use.

As always, if you have any comments or questions regarding my Python programming, or see ways I can do things better, please let me know!



~ by Benjamin Kenneally on July 6, 2011.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: