lazarus - create structure from unstructured data
lazarus [ -1bBdhHtT ] [ -D directory ] [ -H directory ] [ -w directory
lazarus tries to revive things that have died and gone into the binary
spirit world... deleted files, data in memory, swap, etc.
Lazarus reads and examines data, and if the data passes certain
criteria marks it as a known or unknown block of information and saves
it in a data directory. Saved data blocks can be examined later with
additional tools or via a browser if lazarus is run with the -h (HTML)
The output is a set of characters (or HTML color-coded chars, see
lazarus.cf) that correspond to the type of blocks that lazarus sees.
In addition it creates files that contain the data in the $blocks
directory (this value is modified with the -B flag or by changing the
default values in lazaruz.cf, the lazarus configuration file.
Consecutive blocks of the same character type means that it has seen a
run of blocks that it strings together and stuffs in the same $blocks/*
output file. The initial character of a run will always be a capital
letter (if possible; some types are denoted by punctuation marks),
followup letters in the same run will be lowercase. For instance, if
it outputs "Cc", it means that the first block and second blocks of the
data found are suspected to be C programs. A "." represents
unrecognized binary blocks of data.
To make the output stay in semi-manageable size, it does a logarithmic
compression of the output (base 2). The first character represents one
block or less of data, the 2nd from 0-2 blocks, the 3rd 0-4, the fourth
0-8, etc. Blocks are typically, but not always (and are user
definable) 1024 bytes.
Typical output might look like:
The colors (corresponding to the netscape color scheme) and characters
for recognized text and files are kept in the lazarus.cf file, and are:
type value color meaning
t 777777 gray unresolved text
f ff0000 bright red (alarm) sniffer stuff
m 0066ff blue mail
q 6633ff pale blue mailq files
s 6699ff purply emacs/lisp
p cc6666 greenish program file
c 336666 green C code
h ff99ff light purple HTML
w cc3333 reddish password file
l cc9900 light brown log file
Binary files are represented by:
type value color meaning
o bbbbbb light grey null block
r 000000 black removed’d block
x 000000 black binary exe
e d9d9i9 gold ELF
i 238e68 greenish JPG/GIF
a d19275 black cpio/tar/etc
z 336633 greenish compressed
! 000000 black audio
-1 process byte-style, one byte at a time, rather than one block
of data at a time. Not generally recommended, perhaps useful
for looking at memory, etc.
-b don’t write unrecognized binary data blocks (writes by default)
-B don’t write ANY binary data blocks (writes by default)
-d turn debug on (not recommended ;-))
-h emit HTML code rather than ASCII text. It outputs to three
files - the data file ($ARGV) + .html, .menu.html, and
.frame.html. You generally want to look at the
$ARGV.frame.html file (with your browser) initially.
save the HTML frames code in this directory. Only useful with
write the data blocks into this directory name (hey, running
out of letters here, cut me slack!)
-t don’t write unrecognized text data blocks (writes by default)
-T don’t write ANY text data blocks (writes by default)
use this directory to write all the HTML code. Meaningless
unless used with -h!
Distributed under the details found in the COPYRIGHT file found in the
root directory of The Coroner’s Toolkit.