WEBVTT 00:07.370 --> 00:08.240 All right. 00:08.240 --> 00:09.140 Welcome back. 00:09.140 --> 00:11.240 We are going to mess around with strings today. 00:11.270 --> 00:16.850 Now according to the textbook, as always, it is a utility and cybersecurity to analyze binary and 00:16.850 --> 00:20.660 executable files for human readable text, i.e. strings. 00:20.810 --> 00:26.510 We can use those strings in a variety of ways, but realistically, most of the time we're using it 00:26.510 --> 00:27.650 for malware analysis, right? 00:27.680 --> 00:34.370 We're looking for data that allows us to better understand what the program or what the application 00:34.370 --> 00:36.650 is doing within the binary code. 00:36.680 --> 00:37.100 Right. 00:37.130 --> 00:45.380 So it really provides us with a glimpse into the artifacts or the specific details associated within 00:45.380 --> 00:47.330 the program that we're analyzing. 00:47.600 --> 00:51.080 Now, we're not going to go too far into depth of this, but I am going to show you a couple of commands 00:51.080 --> 00:57.590 that you need to understand, or you need to know in order to better, uh, equip yourself to pass the 00:57.590 --> 00:59.180 Cisa exam. 00:59.180 --> 01:02.420 So to do that, I went ahead and downloaded a program already. 01:02.450 --> 01:04.880 We're going to go up to our terminal like this. 01:04.880 --> 01:06.680 I'm going to blow this up so you can see it. 01:07.670 --> 01:08.360 There we go. 01:08.390 --> 01:09.290 We should be able to see that. 01:09.290 --> 01:11.480 And I need to get into the right folder of course. 01:11.510 --> 01:11.690 Right. 01:11.720 --> 01:13.550 So I'm going to do CD downloads. 01:13.670 --> 01:17.360 And we used Minecraft for this specific lab. 01:17.360 --> 01:18.740 So I just downloaded Minecraft. 01:18.770 --> 01:20.210 No I didn't install it. 01:20.210 --> 01:21.650 I didn't install it on Linux. 01:21.650 --> 01:25.130 I actually believe it or not, I haven't played Minecraft in like 20 years. 01:25.310 --> 01:27.950 Well, I shouldn't say this feels like 20 years, right? 01:28.040 --> 01:30.260 Um, but we're going to dissect it today. 01:30.290 --> 01:30.710 Okay. 01:30.740 --> 01:33.980 So the first command we're going to do is just a simple strings. 01:33.980 --> 01:37.820 And we're going to equip it back into that Minecraft just like that. 01:37.820 --> 01:40.760 And it provides us some basic information. 01:40.760 --> 01:45.860 Now, I know it doesn't look like you can read it because you kind of can't, but it outputs all the 01:45.860 --> 01:49.280 strings within the executable, all the binary data. 01:49.400 --> 01:50.780 Now there's maybe too much here. 01:50.780 --> 01:56.000 And so what we want to do is we want to get this data to a portion where we can read it. 01:56.030 --> 02:00.110 Maybe, for instance, we only need data. 02:00.140 --> 02:04.610 That is at least let's say ten characters in length. 02:04.610 --> 02:09.290 So I'm going to do a tac n ten and then we'll do that Minecraft dot dab right there. 02:09.290 --> 02:13.790 So this is going to look for all this data that I already pulled up. 02:13.970 --> 02:20.150 And it has to be a minimum of ten characters in length because I did a TAC in with a ten. 02:20.180 --> 02:22.610 Now you can see here that it's providing that. 02:22.610 --> 02:25.610 And I also want to point out I want to point out this right up here. 02:25.640 --> 02:25.850 Right. 02:25.880 --> 02:27.320 See this right here. 02:27.320 --> 02:31.400 All this blanks are these spaces I should say it's character length. 02:31.430 --> 02:31.670 Right. 02:31.700 --> 02:37.520 So that means if somebody put a space in there then that counts as that ten character length. 02:37.520 --> 02:39.560 However, maybe this isn't enough data. 02:39.590 --> 02:41.510 Maybe we're looking at this and we're going, you know what? 02:41.540 --> 02:42.770 That's just not enough. 02:42.770 --> 02:44.210 Let's shorten this down. 02:44.240 --> 02:47.540 Now instead of ten, we can do five, right. 02:47.540 --> 02:48.770 We could also do eight. 02:48.800 --> 02:50.030 We could do seven, we could do six. 02:50.030 --> 02:51.110 We can do whatever we want. 02:51.140 --> 02:54.140 We there's no requirement on there okay. 02:54.170 --> 02:56.030 But that's the first one I wanted to show you. 02:56.060 --> 03:02.220 The next one I wanted to show you is a, tak a, tak a, or switch a depending on how you read it. 03:02.220 --> 03:05.040 And again where to do Minecraft. 03:05.040 --> 03:10.200 Deb and this is going to look for the Ascii two strings within the file. 03:10.200 --> 03:17.100 So anything that's Ascii two and you can see not much changed in our in random assortment of random 03:17.100 --> 03:23.430 numbers and characters throughout this, but the Ascii two that is going to be a tak a. 03:23.460 --> 03:31.560 The last one I want to show you is if we want to, uh, if we want to have a custom separator, right. 03:31.560 --> 03:38.520 If we want to separate or to look within the program for a specific separator within it. 03:38.550 --> 03:38.790 Right. 03:38.820 --> 03:46.050 Maybe, maybe we're keen to understand that I could do strings, I can do a tac or a switch S and then 03:46.050 --> 03:49.440 I can provide brackets like this if I wanted to. 03:49.470 --> 03:51.840 And then Minecraft dot Deb just like that. 03:51.840 --> 03:57.810 And you can see here that it's providing me all that juicy brackets or spaces or I should say, the 03:57.810 --> 04:00.390 custom separators associated with it. 04:00.390 --> 04:01.770 Now it doesn't have to be brackets, right? 04:01.770 --> 04:08.730 I could do instead of brackets I could do well do that. 04:08.760 --> 04:09.510 Right. 04:10.620 --> 04:15.360 And again you can see here that it's providing me those custom separators okay. 04:15.390 --> 04:21.150 So those are the three that I really wanted to show you to really kind of look at it now size. 04:21.180 --> 04:25.140 Plus they're not going to ask you to go through and start typing in these commands. 04:25.170 --> 04:25.710 Right. 04:25.710 --> 04:30.120 But it would be a good idea to understand the basics of the three that I showed you. 04:30.120 --> 04:35.670 And to understand that what a string actually is trying to accomplish, which if you don't remember, 04:35.700 --> 04:41.310 strings are looking for data within a binary or it's more appropriate. 04:41.310 --> 04:45.750 It's looking for bits, bits within data, right? 04:45.780 --> 04:49.950 Specifically within binary or within executable files. 04:49.980 --> 04:50.400 Right. 04:50.400 --> 04:52.620 And that's all we're trying to accomplish with that. 04:52.650 --> 04:52.950 Right. 04:52.980 --> 04:54.480 So that's strings. 04:54.570 --> 04:56.910 Uh, we will see you next time Thanks.