THC-ManipulateData can search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you modified it.
Useful to find and modify really all unencrypted Logfiles on a system. Does everything in RAW mode, and hence does not tamper a/m/ctimes.
It comes with 4 tools:
Syntax of search_data: ./search_data [-i] [-d] blockdevice searchstring
-i - the only parameter which is optional. This does the
search case insensitive.
-d - dump the found occasions in hex
blockdevice - a blockdevice you want to search for data. It need
not to be a blockdevice, it can be anything, but normaly
you use it on these.
searchstring - a string you want to search for
The blockdevice is searched for the occurance of searchstring, which are printed with location when found.
Example: ./search_data -i /dev/hda3 "connect from 10.0.0.1"
Output looks like:
found at 234600: connect from 10.0.0.1/unresolved (UNKNOWN)
Syntax of read_data: ./read_data blockdevice start_address no_of_bytes
blockdevice - a blockdevice you want to get your data from. It need not to be a blockdevice, it can be anything, but normaly you use it on these.
start_address - from which offset of the blockdevice you want to extract data from
no_of_bytes - how many bytes of data starting at the start_address you want to extract in a file.
The output filename is always START_ADDRESS.NO_OF_BYTES
Example: ./read_data /dev/hda3 234653 1024
writes 1024 bytes of data from /dev/hda3 starting from offset 234653 to the file "234653.1024"
Syntax of write_data: ./write_data blockdevice filename
blockdevice - a blockdevice you want to write your data to. It need not to be a blockdevice, it can be anything, but normaly you use it on these.
filename - the data you want to write to the blockdevice. For error protection, the location where it is put it gathered from the filename - as you can see above from read_data. If you modified the data extracted with read_data into the file, it may not have a different size than defined in the filename! The data in filename is written to the blockdevice
Example: ./write_data /dev/hda3 234653.1024
writes 1024 bytes of data to /dev/hda3 starting at offset 234653 with the
data read from the file "234653.1024"
Syntax of replace_data: ./replace_data [-i] blockdevice searchstring replacestring
-i - the only parameter which is optional. This does the search case insensitive.
blockdevice - a blockdevice you want to search for data. It need not to be a blockdevice, it can be anything, but normaly you use it on these.
searchstring - a string you want to search for
replacestring - the string you want to replace the found entries with
The blockdevice is searched for the occurance of searchstring, and is then replaced.
Example: ./replace_data -i /dev/hda3 "connect from 1.0.0.1" "Remap table failure "
Output looks like:
found at 234600 - replaced
What's New in This Release:
· fixed a bug in read/write_data, seeks over 2gb now succeed
· added -d for hexdump display of occasions found in search_data
Product's homepage
Find us on Google+
