Executable File Searching Techniques

Following are the steps to perform executable File Search if there is no Installer Evidence or known File Evidence found:


1)    Search for a String Recursively and Redirect it to File:
•    Recursively searching for a string in all the files and redirect it to a file.

Syntax:      
              grep -ir “<pattern>” <PATH>     >      <FileName>

Options:
•    i: Ignore case
•    r: recursive search
                                                                                                              
Example:

          grep -ir "bpa\|suite\|analysis"  *  >   filelist.tmp


2)    File and strings search:
•    Search for a string in contents of the file.

         Syntax:
                      grep -i  “<pattern>”  <filename>  | grep –v “<pattern>”

         Options:
•    v: ignore these strings

         Example: 

          grep -i "bpa\|suite\|analysis" filelist.tmp | grep -v ".jar\|.html\|.doc\|.xml\|man1\|txt\|.loc"

3)    Search for Executables from desired path:
•    Lists all the executables in the particular path.

         Syntax:
find <path> -type f -perm 0755  -a ! -name “<pattern>”

         Options:
•    type     : Type of file to be searched, a file or a directory.
•    perm    : Permissions of the file
•    a           : AND Condition
•    !            : Not Operator
•    name    : Name of the File.
  
         Example:

         find . -type f -perm 0755 -a ! -name "java"  -a ! -name "*.msb" -a ! -name "*.qm" -a ! -name "*.sh" -a ! -name "*.jar"