Eric Zimmerman keeps developing amazing digital forensic tools. In the new version of his bstrings tool the following switches have been added:
- ar: ASCII character range. This should be specified as a regular expression, such as [\x20-\x7E];
- ur: Unicode character range. This should be specified as a regular expression, such as [\u0020-\u007E];
- mask: When used with the -d switch, allows for specifying a wildcard (* and ? are supported), so you can do something like -d C:\windows\system32 –mask “*.dll”;
- cp: The identifier of the codepage to use. 1252 is the default, but if you really wanted to search for IBM EBCDIC Turkish encoded strings, you can do –cp 20905 and go crazy.
You can read more about these switches here and download the tool here.
