Mac Forensics – Automator Love – Make a Dictionary

I really really love Automator on the mac.  It just makes it so easy to setup scripts you can run again later.  More importantly it lets you write a script solution that is point and click for someone else when they need help.

I had an email from a Detective that does forensics work on child exploitation cases.  He wanted a simple way to build a dictionary from a selection of folders and files.  He wanted to use that dictionary with my crowbar tools to go after a filevault from a mac.

Here is what I did.

You can see in the automator below what I did for the Detective.  We just stack finder selection and get folder contents actions on top of a simple shell script.  Granted it is down and dirty because we hard code the output file name but that is ok.  He can rename it once the file is made.  We just send the entire list of selected files to the script as arguments.  Next we use translate to turn spaces on a line into new line characters.  This is to break up multi word lines into individual passwords on different lines.  Next we sort the output and then last through unique to reduce the size of our final dictionary by removing duplicates.  That’s it.  You can seriously help other forensics folks quickly by using automator to hand off your knowledge.
StringsDump-Automator-1
Uploaded with plasq‘s Skitch!
Share

2 Replies to “Mac Forensics – Automator Love – Make a Dictionary”

  1. Pardon mt for not fully understanding how your Crowbar tools try the dictionary words.

    Must the specific password appear as a dictionary entry?

    Example:
    The input dictionary contains the following entries:
    alpha
    bravo
    charlie
    The password is the target item is ‘alphacharlie’
    will the password be discovered by crowbar?

  2. No, crowbar just takes the text file as is. You need to build your dictionary with all the permuations you need before you use the file with crowbar. The tool is not a dictionary generator, it just uses whatever file you feed it.

Comments are closed.