To begin with, we highlight two important aspects of the strings command, which is much like the previous recipe. Firstly, the help menu offers a look into the various command-line arguments we can pass to strings. Secondly, the man page expands upon the help menu by providing additional information for each argument we can give to strings. Notice the warning for the -d argument, indicating the potential for security flaws in the library that's used by this argument. This is a great warning for us during our analysis and one we should keep in mind when analyzing unknown binaries on our hosts that may have malicious intent or functionality.
In step 3, we run through various arguments with strings. The first command uses the default configuration, which is the same as using the -a or --all argument. This default argument on our virtual machines tells the strings command to scan the whole file for any printable characters. Most of the time, this will serve us well, especially because it doesn't rely on specific libraries that may contain vulnerabilities.
Next, we pass the -d argument to strings, which outputs any strings within the scanned file from data sections containing initialized data in our scanned file. Note the warning on using this option, since it relies on a library that could contain vulnerabilities. We should use this argument in situations where we're analyzing binaries we inherently trust, such as binaries from an internal development team within our own organizations. Avoid the -d argument and the corresponding --data argument when analyzing potentially malicious or unknown binaries.
Continuing on to the next command, we see the addition of the -n argument, which tells strings to only output identified strings of a minimum character length. In our case, we are looking for strings with a minimum of four characters. This argument can be useful for filtering the output further if there is just too much to manually review. It should be obvious that using this argument may mean we miss out on some important strings in the output. This argument is best used once you are sure you won't miss out on important output by using it.
Next, we append the -f argument, which displays the filename in our output before each identified string. This can be useful when analyzing several files at once. For the second to last command, we append the -s argument, along with a character to use, as a format separator. This argument helps us format our output as needed, depending on our analysis requirements. For example, this option is useful when we plan to automate the use of strings and pipe the output of its analysis into a file for later reviewing. Finally, we append the -t argument with the x option, which tells strings we want to display the offset of each string in hexadecimal notation next to the identified printable characters. This offset location can aid us in later phases of our binary analysis methodology.