rootninja

In a page on wiki.linuxquestions.org, I read an example that allows you to search an entire partition, device, or other input looking for a string. You might use this if you know what string you’re looking for, but can’t get into the computer anymore because you forgot the password. It works on ext3, NTFS, FAT, etc. Don’t do this on someone else’s machine without permission!

# dd if=/dev/mem | hexdump -C | grep “string to search for”

The problem is, hexdump will give you 16 ascii characters surrounded by pipes and then a newline before printing the next 16. You can’t search for long strings that way, so you need to break them up between the pipes and then concatenate them back together before you can find anything longer than 16 chars this way.

I found this works better:

# dd if=/dev/mem | hexdump -C | sed -e ’s/.* |//’ -e ’s/|$//’ | awk ‘{printf “%s”, $0 }’ | sed ’s/\.\.\.\./\.\.\.\.\n/g’

The last sed is optional. If you don’t use this, everything will be one long line. My memory contents contained tons of periods, so I used that. You could break at a specifc string if you wanted.

If you want to search more interactively, you can pipe it to ‘less’ so you can easily search over and over throughout the contents.

f....
....
t..$....
p.q.p....
....
f.KW3Sf... .$.."....
..Virtual Appliance boot failed....
Continuing with normal boot sequence...Error Code: .A configuration change was requested to ena
ble VT, TxT, TPM, and VA... Press Y to accept or N to reject the change request....
.w..h@..h....
....
.=..t.j..f..|....
j..f....
.h...f..<....
....