PURPOSE OPERATION OPTIONS COMMAND_LINES
NOTE:
Notice this program was written circa 2004. Its almost as old as I am. That being said, to make sure you
are comfortable with it under WIN10, etc. you should do extensive testing to see if it produces the
results you are expecting. Especially when testing for a wiped drive.
NT_SS is designed to run under the NT operating system (which includes all current versions of W2K, XP, and NT4). NT_SS will search a disk at the physical (sector) level to determine if specific strings are found anywhere on the disk.
Every effort was made in making NT_SS look and feel like its older DOS version SS.exe. Any options that are found in NT_SS that are applicable will operate similar to the same one in SS.exe. Some options have been deleted from NT_SS for speed and obsolecense.
NT_SS searches the entire physical disk, and as it finds the strings on the disk, it will then write information to an output file identifying the sector number which contains the string. Sector numbers and offset identified all count from 0. So the first sector on the disk is considered sector 0.
NT_SS searches large blocks of sectors (entire cylinders, usually a logical 255 heads) of the disk for the strings in the list provided (-s option When a hit is found, the information as to the sector where the data was found is placed to the output file. In addition, a default of 80 characters of surrounding text is placed in the output record. This is to allow the reviewer to determine if a further examination of the data is necessary. By default, any unprintable hex characters (<0x20, >0x7f) are represented by the traditional dot (.) replacement character. The true hex value may be maintained by using the –g (graphic) option.
The user using the -m (max length) option can adjust the amount of surrounding text. This option (-m #) is identical to the one found in the strsrch program. In fact, the output line looks pretty much identical in both programs, which make merging the output very easy.
Advantages of NT_SS.
If the option you provide on the command line with the -s for string file, is not a file, the program assumes this one word is the string you are looking for. Again, similar to the strsrch programs -s option.
The NT_SS program is also designed (-h option) to be able to only check the first bytes of each sector for the signatures. This check is performed if the string file has headers associated with file types. Since file headers are generally presumed to be in the first X bytes of a file, and the file begins at a sector boundary, the output should list all the starting sectors of files whose headers match the search strings. This is very dependent on an accurate string file being provided to the program.
You will notice that when it starts, there is a message/process where it attempts to determine the actual number of sectors on a drive. Message like:
OS reported 123,716,565 sectors on drive. Finding total sectors. Actual sectors on drive: 123,994,049Formatting added for clarity.
Options are ordered in alphabetical order.
-b + #: Start processing at # sector number. Start at 0. (-b 10000)
-d + delimiter: Use delimiter as a field delimiter between information in output record. This option can be used only in conjunction with the –w (wide) option. If using the pipe symbol (|) as delimiter, it must be quoted on the command line. -d "|"
-i + drive to search: Must be A or B for floppy drives, and physical drive 0 thru 9 for hard disks. Use the -G option to determine the correct drive number of the target. sample: -i 0, or -i x where x is a drive number.
-g: show all unprintable characters in output records as true hex values. Default is to replace the unprintable with a dot (.).
-G XX:Replace the XX with a drive number, 0-xx. It will display the parameters of the particula drive. Prior to WIN10, a -G without a number would show the physical parameters of all drives. But WIN10, in its infinite wisdom wouldn't perform as designed. So you need a drive number. The operating system disk managment program (generally found under administrative tools) should show the drive numbers to confirm that the xx you use is the correct one. Then use that drive number with the -i option. -G 0
-h: the strings in the string file are considered to be file headers. This option causes NT_SS to only look at the first X characters of every sector. It eliminates false hits where the strings might be located within the sector and not at the beginning. The locations of these sectors can later be used to carve out enough sectors to complete a file.
-L + logfile: A name of the logfile to print some accounting information to.
-m + #[CLR]: replace # with a new width of how many characters are to be contained in the output line. There is no max to this value, but if you use greater than 1024 you may experience some problems. The # value can be followed by one of the following upper case letters [CLR]. The "string" that is hit will therefore be placed in the 'C'enter, 'L'eft or 'R'ight side of the output record. This helps in viewing and further analysis of the output data.The Center is default. (sample:-m 80L,-m 80, -m 80R). If using the -h option, it is suggested the 'L' option be used for clarity in viewing the output.
-n: 'N'o delay to start the program. Default is that program waits 10 seconds before running. This built in delay allows the user to abort if the wrong drive was selected. The -n causes the program to start immediately without this delay.
-oO + output: (optional output file.) If no -o option is used, output is to the CONsole (screen). The output is placed into a file name by output. The uppercase O automatically initiates the append option. The -o output option has been tested to a UNC output file and worked acceptably. It has not been tested on a UNC/$ hidden share. It is the users responsibility to check this capability before using it in a production run. -o outputfilename.txt
-R: 'R'everse search criteria. Only one character (string) can be in the string list. This single string contains the decimal representation of the character we are looking for. For instance, if you were searching for a hex 00, then the string would be 0. If you were searching for the upper case ‘A’ character, then you would use the decimal value of 65 for that. During the search, the program stops when it finds anything "EXCEPT" what is in the string list. (Possibly use this to confirm that a disk wiping program in fact put all XX's on the drive). Use this with a string file containing the single value 0, etc. to see if a drive is fully wiped. The 0 in the string file will be converted to a hex 0, and the program will stop when it finds anything except a hex 00.
-s + filename: containing strings to search for. Place the -s and follow it with the name of the file containing the strings you wish to search for. Each string cannot be longer than the number of characters located on one track of the disk, but be reasonable. Try to keep the strings no longer than 40 characters each. They should be one to a line, and the file should be created using an ascii (text) editor, not a word processor, because word processors add extra unreadable characters to the file. The strings can be upper or lower case. The search is done independent of case. If no file by filename exists, the program assumes the word after the -s is the only string to search for, and proceeds under that assumption. -s strings_file, or -s 0 (see -s 0 -R below)
-s 0 -R: Special -s option for testing if a drive is wiped with all 0's. This section of the command line is preferred for this test.
-Ww Make the output a single Wide line instead of the traditional two line output. Use this if you want to import the output into a data base. (-W also eliminates header from output (-w or only produces a single line output with headers.)
Command line format:
C:>nt_ss -i 0 -s filename -o outputfile [additional options]
C:>nt_ss -i 0 -s filename -o output -m 124 -w
Remember, the -i -s are REQUIRED.
-o option is optional
Creating CON (this means the output will go to the CONsole, not a file)
Input Drive: \\.\PHYSICALDRIVE3
Parameters: Removable media: CHS: 7701-255-63 63,342,881,280 Bytes 63.2 Gig
Part #: Type: Boot Hidden Start sector: Length (in sectors)
1 07/NTFS/OS2 HPFS NO 223872 223,872 123,508,096
OS reported 123716565 sectors on drive. Finding total sectors.
Actual sectors on drive: 123994049
OS Reported sectors: 123,716,565, Actual sectors: 123,994,049 diff: 277484
Sectors Processed Hits: Time Remaining
At sector 1 (from 1) found a hex 0X33, instead of 0X00
Reverse Search option used
Total Hits: 0